The following rule demonstrates how Logsurfer+ can be used to detect brute force attacks against an SSH server. The rules can be adapted to detect similar attacks against other services.
Logsurfer+ v1.6 or higher is required for these rules.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
# # detect ssh brute force # # Its a little cryptic, but here 1800 is the absolute timeout from the # time of the first message occurring, 600 is the relative timeout between # messages and 10 is the minimum number of lines which are needed # to trigger the action ( mailx in this case ). The Email message sent # will include the collected log messages. # This has the advantage that it can watch the syslog server which # collects logs from any number of hosts, and the thresholds can be tuned # to your needs. Note that you should avoid using mailx in this case since # it has escape codes in its input stream. Use the start-mail script which # is included in the Logsurfer package. # ' ([^ ]+) sshd\[[0-9]*\]: Invalid user .* from ([^ ]+)' - - - 0 open "$2 sshd\\[[0-9]*\\]: .* from $3" - 200 1800 600 10 report "/bin/mailx -s \"Server $2 SSH Login attempts from $2\" admin at example.com" "$2 sshd\\[[0-9]*\\]: .* from $3" |