Re: Monitor OpenSSH server with Snort?
As far as I'm aware snort is unable to detect failed authentications due to the fact all traffic is encrypted so it is unable to check the content of any packets. Snort is only able to alert on for example any connections to the port or excessive connection attempts depending on the rules you've set up.
The best way would be to use software that monitors the auth.log file for failed authentications.
Re: Monitor OpenSSH server with Snort?
I definitely think fail2ban or denyhosts would be the ideal solution, I use denyhosts, everytime it blocks an ip it sends mail to one of my users, I have postfix/dovecot setup so I can check the system mail using any imap email client.
Code:
From nobody@localhost Mon Sep 08 06:47:15 2008
Envelope-to: root@localhost
Delivery-date: Mon, 08 Sep 2008 06:47:15 -0700
From: DenyHosts <nobody@localhost>
To: root@localhost
Subject: DenyHosts Report
Date: Mon, 08 Sep 2008 06:47:15 -0700
Added the following hosts to /etc/hosts.deny:
218.36.42.221 (218-36-42-221.rev.krline.net)
----------------------------------------------------------------------