Crypt.Gen.NZ

Logsurfer+ configuration examples for detecting ssh brute force attacks

The following rule demonstrates how Logsurfer+ can be used to detect brute force attacks against an SSH server. The rules can be adapted to detect similar attacks against other services.
Logsurfer+ v1.6 or higher is required for these rules.

#
# detect ssh brute force
#
# Its a little cryptic, but here 1800 is the absolute timeout from the
# time of the first message occurring, 600 is the relative timeout between
# messages and 10 is the minimum number of lines which are needed
# to trigger the action ( mailx in this case ). The Email message sent
# will include the collected log messages.
# This has the advantage that it can watch the syslog server which
# collects logs from any number of hosts, and the thresholds can be tuned
# to your needs. Note that you should avoid using mailx in this case since
# it has escape codes in its input stream. Use the start-mail script which
# is included in the Logsurfer package.
#
' ([^ ]+) sshd\[[0-9]*\]: Invalid user .* from ([^ ]+)' - - - 0
  open "$2 sshd\\[[0-9]*\\]: .* from $3" - 200 1800 600 10
    report "/bin/mailx -s \"Server $2 SSH Login attempts from $2\" admin at example.com" "$2 sshd\\[[0-9]*\\]: .* from $3"

---

Copyright © 2002-2010 Kerry Thompson