Jay Kline wrote:
> 
> Ok, I know there are several applications out there that watch for port 
> scanning and the like, so maybe one of those can help out with this.  
> 
> One of the servers I maintain is a vairly high traffic web server. As a 
> result, there are tons of "break-in" attempts.  These are hardly anything 
> to be too worried about, but the security log tells me about them, mostly 
> people trying to anonymous ftp in, or trying to ssh in as user anonymous 
> (I dont even know WHY anyone would have that user a system user in the 
> first place).  Is there some way I can get an "instant" notification via 
> email when someone trys to log in via ssh/ftp/etc (that logs to the 
> security log) that ISNT annonymous? For example, the other day, 2 IP's (in 
> the same subnet, so presumebly the same person) tryed to FTP and ssh in 
> close to 100 times with various user-names.  None of the usernames were 
> correct, and even if the person did have one, we have a strong password 
> rule and time delays on failed logins for everything, so it should take a 
> few years before he gets close- but it would be nice to know the instant 
> something like that happens so we can report it to the ISP faster, or take 
> appropriate actions (like shutting down the service/blocking the IP if 
> need be).
> 
> Any other tools/practices that you would recomend for this sort of senerio 
> would also help, as this is not to uncommon of an occurance anymore. And 
> before everyone yells to get off FTP and use SCP- that isnt an option.  
> But users who have FTP access dont have accounts, and those with accounts 
> dont use FTP, so it should be fine.
> 
> 
> Jay
> -- 
> Jay Kline
> list at slushpupie.com
> http://www.slushpupie.com

Yeah, there is a way to tell which account is accessed..


1- use tcpwrappers

   NOTE that if you're using ssh, this also means that you need to configure
   ssh to also use TCP wrappers when you build it.  Basically, this means
   that whey you go to build ssh from source, you need to run "configure"
   with the "--with-libwrap" option set, but it also means doing some other
   stuff, so read the ssh documentation first.

2- Your /etc/hosts.allow should look something like:
   > #
   > # hosts.allow   This file describes the names of the hosts which are
   > #               allowed to use the local INET services, as decided by
   > #               the '/usr/sbin/tcpd' server.
   > #
   > ALL: LOCAL : banners /etc/banners/allow : spawn = (/etc/hosts.msg connection allowed  %a %c %h %n %d %p %u ) &
   > 
   > # End of hosts.allow.

3- Your /etc/hosts.deny should look something like:
   > # hosts.deny    This file describes the names of the hosts which are
   > #               *not* allowed to use the local INET services, as decided
   > #               by the '/usr/sbin/tcpd' server.
   > #
   > #
   > ALL:ALL:banners /etc/banners/deny:spawn = (/etc/hosts.msg connection denied  %a %c %h %n %d %p %u ) &
   > # End of hosts.deny.

4- The script /etc/hosts.msg (which you need to write) can then do stuff
   based on the values of "connection {denied,allowed}" and the value of the
   %u parameter.  "%u" is the userid, or if the userid can't be
   resolved/isn't given, it'll contain the word "unknown".

As an example of what you can do with /etc/hosts.msg, a part of the one I
use contains:
   > echo "`date +'%b %d %T'` $*" >> /tmp/connections/$3
   > /usr/X11/bin/xmessage -geom 800x102+2+2 -display :1.0 "`date +'%b %d %T'` $*" > /dev/null 2>&1  &
   > /bin/echo "Alarm: $*" | /bin/mail -n -s "security alert" root at localhost > /dev/null 2>&1
   > /usr/bin/play /usr/lib/sounds/siren.wav

Where:
   - the /tmp/connections/* files track connection history by ip address,
   - the xmessage is a pop-up on my main X screen,
   - the email goes to my "security-alerts" file (via procmail), and
   - the siren.wav file gets my attention (especially if it goes off 20 times
     in 5 seconds ;-)

BTW: if you want to give any particular IP address the "death penalty", just have
/etc/hosts.msgs add the IP address to the bottom of /etc/hosts.deny.  I.e.: to
kill off further contact with 111.222.333.444, append the line
   > ALL: 111.222.333.444
to the bottom of /etc/hosts.deny.


Hope this helps'idly,

-S