On Sun, Jun 24, 2012 at 12:45 PM, Peter M Abraham <[email protected]> wrote: > Good day: > > This past weekend, we are seeing a lot of rule 5701 being triggered for SSH > version gathering. > > Rule: 5701 fired (level 10) -> "Possible attack on the ssh > server (or version gathering)." > > From doing some digging, I believe I can get the IP address of the attacker > with the following console / SSH command: > > grep -B1 'Bad protocol' /var/log/secure > > Example output > > grep -B1 'Bad protocol' /var/log/secure > Jun 24 06:51:16 vps sshd[14930]: Connection from 14.42.237.139 > port 3760 > Jun 24 06:51:16 vps sshd[14930]: Bad protocol version > identification '\026\003' from UNKNOWN > -- > Jun 24 12:33:56 vps sshd[26349]: Connection from 109.166.171.24 > port 1853 > Jun 24 12:33:56 vps sshd[26349]: Bad protocol version > identification '\026\003' from UNKNOWN > > What's the best way to translate this into a rule that when rule 5701 is > triggered, ossec would look at the same time stamp line before it to get the > IP address so ossec could block the IP? > > Thank you. >
There's currently no way to do this. I would however look into your sshd configuration. The UNKNOWN should probably be an IP or hostname: Jun 25 15:40:53 junction sshd[19245]: Bad protocol version identification 'GET / HTTP/1.0' from 27.151.126.28
