Topic: secure log warnings

[Alex Schaft]

Hi,

I have just noticed a variety of IP addresses trying to gain access to our staff mail server:

secure.20070522053155:May 22 08:55:58 mail proftpd[17729]: mail.quicksoftware.co.za (193.188.66.118[193.188.66.118]) - USER Administrator: no such user found from 193.188.66.118 [193.188.66.118] to 10.1.1.60:21
secure.20070522053155:May 22 08:56:04 mail proftpd[17729]: mail.quicksoftware.co.za (193.188.66.118[193.188.66.118]) - Maximum login attempts (3) exceeded


I compiled a list of these using

Code: [Select]


grep  Maximum secure.200* | cut -f2 -d\( | cut -f1 -d\[ | sort -u


And fed a comma concatenated version of that list (semi manual, bit that's a question for another list ), into config ftp setprop DenyHosts

My question is if there is a cron script out there, which can check for these attacks, and notify me, or even do it automatically with a notification.

Thanks,
Alex

[Alex Schaft]

Hi all,

I've managed to hack the following together in /etc/cron.daily

Code: [Select]


#!/bin/bash
Hackers=`grep  -h Maximum /var/log/secure.20* | grep  -o -E [0-9]+[.][0-9]+[.][0-9]+[.][0-9]+ | sort -u | awk -F. '(($1 > 0) && ($1<256) && ($2<256) && ($3<256) && ($4<256))' |sort -u | xargs | sed 's/ /,/g'`
config setprop ftp DenyHosts $Hackers
signal-event remoteaccess-update
echo "Hosts FTP Access Killed: $Hackers"


I'm now looking for similar pop3 info. Any ideas on where to find pop3 info on login failures?

Alex