How to display IP of ssh user in message?

Ryan Golhar golharam at umdnj.edu
Tue May 3 20:27:23 UTC 2005 

We get attacks nightly.  Last night, there were 500+ attempts logins to
root through ssh.  All from the same IP address.

The warning banner doesn't do much good...I could call theplanet.com but
then I'd be calling different ISP's almost daily because of the attacks.

Ideally, I would like the machines to automatically block the IP address
of the attacker after say 5 failed attempts...

Ryan


-----Original Message-----
From: redhat-list-bounces at redhat.com
[mailto:redhat-list-bounces at redhat.com] On Behalf Of Smith, Albert
Sent: Wednesday, April 27, 2005 2:18 PM
To: General Red Hat Linux discussion list
Subject: RE: How to display IP of ssh user in message?


If they never are able to successfully login then it won't matter if you
display it in a banner page as they already know that IP address's are
logged in the btmp and the wtmp logs.

Here are things to do from a liability stand point:

1 - Have a warning banner enabled at log in. It is very easy to do and I
have attached one. Just put in /etc and name it issue and make sure it
has permission 444 set.

2 - make sure /var/log/btmp exists if not create the file. Whenever a
failed attempt happens either by local, ssh or whatever connection just
do a lastb and it logs it by, id - ipaddress and date/time.

3 - Continue to call theplanet.com on the number listed on their website
if they fail to respond I would contact your local police if you belive
this to be a hacker attempt.


Albert Smith
Sr. Unix Systems Administrator
HPCSA, RHCT
Genex Services
440 E. Swedesford Rd.
Wayne, PA 19087
albert.smith at genexservices.com
(610) 964-5154
 

> -----Original Message-----
> From: redhat-list-bounces at redhat.com
> [mailto:redhat-list-bounces at redhat.com] On Behalf Of Burke, Thomas G.
> Sent: Wednesday, April 27, 2005 11:39 AM
> To: golharam at umdnj.edu; General Red Hat Linux discussion list
> Subject: RE: How to display IP of ssh user in message?
> 
> Probably won't matter, as most of them are scripts...
>  
>     -Tom
> 
> -----Original Message-----
> From: redhat-list-bounces at redhat.com
> [mailto:redhat-list-bounces at redhat.com]On Behalf Of Ryan Golhar
> Sent: Friday, April 15, 2005 11:28 AM
> To: Burke, Thomas G.; 'General Red Hat Linux discussion list'
> Subject: RE: How to display IP of ssh user in message?
> 
> 
> 
> My message might have been a bit confusing.  When a user logs
> in via ssh, a message can be displayed.  I forget what file 
> this is in.  I want to add their IP address to the message so 
> they know that we know where they are coming from...  
>   
>   
>   
> -----Original Message-----
> From: Burke, Thomas G. [ mailto:tg.burke at ngc.com] 
> Sent: Friday, April 15, 2005 11:15 AM 
> To: golharam at umdnj.edu; General Red Hat Linux discussion list 
> Subject: RE: How to display IP of ssh user in message? 
> 
> 
> 
> This data shows up in one of the other logs - not sure which
> off the top 
> of my head, tho. 
>   
>     -Tom
> 
> -----Original Message-----
> From: redhat-list-bounces at redhat.com 
> [ mailto:redhat-list-bounces at redhat.com]On Behalf Of Ryan Golhar 
> Sent: Friday, April 15, 2005 11:02 AM 
> To: 'General Red Hat Linux discussion list' 
> Subject: How to display IP of ssh user in message? 
> 
> 
> 
> Hi all,
> 
> I notice in our logs that we get a large amount of failed attempts to
> log in.  Short of blocking these domains using iptables, I 
> was wondering 
> 
> if there is a way to display the IP address of the user
> logging in, in a 
> 
> message so they know we have their IP address?
> 
> sshd: 
>    Invalid Users: 
>       Unknown Account: 602 Time(s) 
>    Authentication Failures: 
>       xfs (138.67-18-71.reverse.theplanet.com ): 1 Time(s) 
>       root (nitrogen.umdnj.edu ): 1 Time(s) 
>       root (138.67-18-71.reverse.theplanet.com ): 1 Time(s) 
>       unknown (138.67-18-71.reverse.theplanet.com ): 595 Time(s) 
>       unknown (218.153.147.92 ): 6 Time(s) 
>       daemon (138.67-18-71.reverse.theplanet.com ): 1 Time(s) 
>       root (218.153.147.92 ): 3 Time(s) 
>       rpc (138.67-18-71.reverse.theplanet.com ): 1 Time(s) 
>       unknown (10.136.16.244 ): 1 Time(s) 
>       smmsp (138.67-18-71.reverse.theplanet.com ): 1 Time(s)
> 
> 
> 
> --
> redhat-list mailing list 
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe 
> https://www.redhat.com/mailman/listinfo/redhat-list 
> 
> --
> redhat-list mailing list 
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe 
> https://www.redhat.com/mailman/listinfo/redhat-list 
> 
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=subscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
> 
>

More information about the redhat-list mailing list