Page 2 of 2 FirstFirst 12
Results 11 to 12 of 12

Thread: Monitor OpenSSH server with Snort?

  1. #11
    Join Date
    Sep 2008
    Beans
    1

    Re: Monitor OpenSSH server with Snort?

    As far as I'm aware snort is unable to detect failed authentications due to the fact all traffic is encrypted so it is unable to check the content of any packets. Snort is only able to alert on for example any connections to the port or excessive connection attempts depending on the rules you've set up.

    The best way would be to use software that monitors the auth.log file for failed authentications.

  2. #12
    Join Date
    Dec 2007
    Location
    California
    Beans
    4,899
    Distro
    Ubuntu 13.04 Raring Ringtail

    Re: Monitor OpenSSH server with Snort?

    I definitely think fail2ban or denyhosts would be the ideal solution, I use denyhosts, everytime it blocks an ip it sends mail to one of my users, I have postfix/dovecot setup so I can check the system mail using any imap email client.

    Code:
    From nobody@localhost Mon Sep 08 06:47:15 2008
    Envelope-to: root@localhost
    Delivery-date: Mon, 08 Sep 2008 06:47:15 -0700
    From: DenyHosts <nobody@localhost>
    To: root@localhost
    Subject: DenyHosts Report
    Date: Mon, 08 Sep 2008 06:47:15 -0700
    
    Added the following hosts to /etc/hosts.deny:
    
    218.36.42.221 (218-36-42-221.rev.krline.net)
    
    ----------------------------------------------------------------------
    Last edited by jerome1232; September 8th, 2008 at 06:45 PM.
    "You can't expect to hold supreme executive power just because some watery tart lobbed a sword at you"

    "Don't let your mind wander -- it's too little to be let out alone."

Page 2 of 2 FirstFirst 12

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •