Hi Darren,
On Mon, Dec 01, 2008 at 03:35:37PM +1100, Darren Reed wrote:
> Over the weekend I was noticing that there were a lot of failed
> login attempts from particular IP addresses into my sshd and
> that got me thinking, why can't I easily have sshd work with
> ipfilter and block those IP addresses?
.
.
> Before I start hacking on code, is there some other area of
> Solaris's security that should be leveraged to do this?
>
> For example, are there any C2 audit events that collect
> information like this?
Yes, the sshd login auditing is there and could be helpful in
your case. Either enable "lo" class (audit_control(4)), or
create your own class (audit_class(4)), reconfigure AUE_ssh to
be a member of the new class (audit_event(4)) and reconfigure
audit_control(4)/naflags to enable the sshd(1M) login events
auditing.
[ snip ]
bash-3.2# grep flags /etc/security/audit_control
flags:lo
naflags:lo
bash-3.2#
bash-3.2# auditconfig -getaudit
audit id = jf206706(207706)
process preselection mask = lo(0x1000,0x1000)
terminal id (maj,min,host) =
6837,71168,tipo.Czech.Sun.COM(129.157.71.115)
audit session id = 588550784
bash-3.2#
bash-3.2# grep AUE_ssh /etc/security/audit_event
6172:AUE_ssh:login - ssh:lo
bash-3.2#
[ snip ]
[ snip - some audit records.. ]
cmd:
auditreduce -m AUE_ssh <path_to_audit_trail> | praudit
header,79,2,login - ssh,,snare,2008-12-01 01:28:28.559 -08:00
subject,-1,-1,-1,-1,-1,25728,1572926826,6639 5632 tipo.Czech.Sun.COM
return,failure,Permission denied
zone,global
header,79,2,login - ssh,,snare,2008-12-01 01:28:51.666 -08:00
subject,jf206706,jf206706,staff,jf206706,staff,25737,427646915,13478
136704 tipo.Czech.Sun.COM
return,success,0
zone,global
[ snip ]
Note, that snippets above are from some older system with
not-yet-resolved bugs like "6734620 sshd doesn't audit failed
logins correctly.", etc.
/j.
