[TriLUG] Drop script kitties

Matt Flyer matt at noway2.thruhere.net
Tue Oct 11 05:56:55 EDT 2011


Fail2ban would be a good tool for this.  It will analyze the logs, and
actively block the IP of the offender for a period of time you specify.

On 10/11/2011 05:55 AM, Tarus Balog wrote:
> Gang:
>
> Lately I've noticed a lot of these, usually coming from Russia:
>
> pam_succeed_if(sshd:auth): error retrieving information about user silvia : 1 time(s)
> pam_succeed_if(sshd:auth): error retrieving information about user rachel : 1 time(s)
> pam_succeed_if(sshd:auth): error retrieving information about user carola : 1 time(s)
> pam_succeed_if(sshd:auth): error retrieving information about user nagios : 1 time(s)
>
> Obviously hunting. Anyone know of a tool to temporarily block the IP making the attempt after x failures?
>
> In a similar vein, I get script kitties hunting for HTTP exploits:
>
>       /genindexpage.cgi?13687+Home+/../../../../ ... ./../etc/passwd: 1 Time(s)
>       /gotopage.cgi?13686+/../../../../../../../ ... ./../etc/passwd: 1 Time(s)
>       /hsx.cgi?show=../../../../../../../../../../../etc/passwd%00: 1 Time(s)
>       /ikonboard.cgi: 1 Time(s)
>       /index.cgi: 2 Time(s)
>
> and I'd like to do the same to them.
>
> -T
> _______________________________________________________________________
> Tarus BALOG, OpenNMS Maintainer             Main:   +1 919 533 0160
> The OpenNMS Group, Inc.                     Fax:    +1 773 345 3645
> Email: tarus at opennms.org                    URL: http://www.opennms.org
> PGP Key Fingerprint: 8945 8521 9771 FEC9 5481  512B FECA 11D2 FD82 B45C
>
>




More information about the TriLUG mailing list