[TriLUG] Drop script kitties
Matt Flyer
matt at noway2.thruhere.net
Tue Oct 11 05:56:55 EDT 2011
Fail2ban would be a good tool for this. It will analyze the logs, and
actively block the IP of the offender for a period of time you specify.
On 10/11/2011 05:55 AM, Tarus Balog wrote:
> Gang:
>
> Lately I've noticed a lot of these, usually coming from Russia:
>
> pam_succeed_if(sshd:auth): error retrieving information about user silvia : 1 time(s)
> pam_succeed_if(sshd:auth): error retrieving information about user rachel : 1 time(s)
> pam_succeed_if(sshd:auth): error retrieving information about user carola : 1 time(s)
> pam_succeed_if(sshd:auth): error retrieving information about user nagios : 1 time(s)
>
> Obviously hunting. Anyone know of a tool to temporarily block the IP making the attempt after x failures?
>
> In a similar vein, I get script kitties hunting for HTTP exploits:
>
> /genindexpage.cgi?13687+Home+/../../../../ ... ./../etc/passwd: 1 Time(s)
> /gotopage.cgi?13686+/../../../../../../../ ... ./../etc/passwd: 1 Time(s)
> /hsx.cgi?show=../../../../../../../../../../../etc/passwd%00: 1 Time(s)
> /ikonboard.cgi: 1 Time(s)
> /index.cgi: 2 Time(s)
>
> and I'd like to do the same to them.
>
> -T
> _______________________________________________________________________
> Tarus BALOG, OpenNMS Maintainer Main: +1 919 533 0160
> The OpenNMS Group, Inc. Fax: +1 773 345 3645
> Email: tarus at opennms.org URL: http://www.opennms.org
> PGP Key Fingerprint: 8945 8521 9771 FEC9 5481 512B FECA 11D2 FD82 B45C
>
>
More information about the TriLUG
mailing list