[TriLUG] Drop script kitties
David Black
dave at jamsoft.com
Tue Oct 11 10:30:23 EDT 2011
Denyhosts will do this too, using tcp wrappers. They also have a shared, dynamic blacklist.
Dave
----- Original Message -----
> Gang:
>
> Lately I've noticed a lot of these, usually coming from Russia:
>
> pam_succeed_if(sshd:auth): error retrieving information about user
> silvia : 1 time(s)
> pam_succeed_if(sshd:auth): error retrieving information about user
> rachel : 1 time(s)
> pam_succeed_if(sshd:auth): error retrieving information about user
> carola : 1 time(s)
> pam_succeed_if(sshd:auth): error retrieving information about user
> nagios : 1 time(s)
>
> Obviously hunting. Anyone know of a tool to temporarily block the IP
> making the attempt after x failures?
>
> In a similar vein, I get script kitties hunting for HTTP exploits:
>
> /genindexpage.cgi?13687+Home+/../../../../ ... ./../etc/passwd:
> 1 Time(s)
> /gotopage.cgi?13686+/../../../../../../../ ... ./../etc/passwd:
> 1 Time(s)
> /hsx.cgi?show=../../../../../../../../../../../etc/passwd%00: 1
> Time(s)
> /ikonboard.cgi: 1 Time(s)
> /index.cgi: 2 Time(s)
>
> and I'd like to do the same to them.
>
> -T
> _______________________________________________________________________
> Tarus BALOG, OpenNMS Maintainer Main: +1 919 533 0160
> The OpenNMS Group, Inc. Fax: +1 773 345 3645
> Email: tarus at opennms.org URL:
> http://www.opennms.org
> PGP Key Fingerprint: 8945 8521 9771 FEC9 5481 512B FECA 11D2 FD82
> B45C
>
>
> --
> This message was sent to: David Black <dave at jamsoft.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from
> that address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web :
> http://www.trilug.org/mailman/options/trilug/dave%40jamsoft.com
> TriLUG FAQ :
> http://www.trilug.org/wiki/Frequently_Asked_Questions
>
More information about the TriLUG
mailing list