Mercurial > hg > maltfilter
comparison maltfilter @ 76:4769aad8bd14
Root password bruteforcing check was not always working, fixed.
author | Matti Hamalainen <ccr@tnsp.org> |
---|---|
date | Thu, 27 Aug 2009 21:35:59 +0300 |
parents | e8fbe7cd65a7 |
children | 9095db0fad8f |
comparison
equal
deleted
inserted
replaced
75:6f3d53ea4245 | 76:4769aad8bd14 |
---|---|
10 use Date::Parse; | 10 use Date::Parse; |
11 use Net::IP; | 11 use Net::IP; |
12 use Net::DNS; | 12 use Net::DNS; |
13 use LWP::UserAgent; | 13 use LWP::UserAgent; |
14 | 14 |
15 my $progversion = "0.17.1"; | 15 my $progversion = "0.17.2"; |
16 my $progbanner = | 16 my $progbanner = |
17 "Malicious Attack Livid Termination Filter daemon (maltfilter) v$progversion\n". | 17 "Malicious Attack Livid Termination Filter daemon (maltfilter) v$progversion\n". |
18 "Programmed by Matti 'ccr' Hamalainen <ccr\@tnsp.org>\n". | 18 "Programmed by Matti 'ccr' Hamalainen <ccr\@tnsp.org>\n". |
19 "(C) Copyright 2009 Tecnic Software productions (TNSP)\n"; | 19 "(C) Copyright 2009 Tecnic Software productions (TNSP)\n"; |
20 | 20 |
87 # (1.1) Generic login scan attempts | 87 # (1.1) Generic login scan attempts |
88 if ($merr =~ /^Failed password for invalid user (\S+) from (\d+\.\d+\.\d+\.\d+)/) { | 88 if ($merr =~ /^Failed password for invalid user (\S+) from (\d+\.\d+\.\d+\.\d+)/) { |
89 check_add_hit($2, $mdate, "SSH login scan", "", 13, $settings{"CHK_SSHD"}); | 89 check_add_hit($2, $mdate, "SSH login scan", "", 13, $settings{"CHK_SSHD"}); |
90 } | 90 } |
91 # (1.2) Root account SSH login password bruteforcing attempts. | 91 # (1.2) Root account SSH login password bruteforcing attempts. |
92 elsif (/^Failed password for root from (\d+\.\d+\.\d+\.\d+)/) { | 92 elsif ($merr =~ /^Failed password for root from (\d+\.\d+\.\d+\.\d+)/) { |
93 check_add_hit($1, $mdate, "Root SSH password bruteforce", "", 13, $settings{"CHK_ROOT_SSH_PWD"}); | 93 check_add_hit($1, $mdate, "Root SSH password bruteforce", "", 13, $settings{"CHK_ROOT_SSH_PWD"}); |
94 } | 94 } |
95 # (1.3) System account SSH login password bruteforcing attempts. | 95 # (1.3) System account SSH login password bruteforcing attempts. |
96 if ($merr =~ /^Failed password for (\S+) from (\d+\.\d+\.\d+\.\d+)/) { | 96 elsif ($merr =~ /^Failed password for (\S+) from (\d+\.\d+\.\d+\.\d+)/) { |
97 my $mip = $2; my $macct = $1; | 97 my $mip = $2; my $macct = $1; |
98 if (defined($systemacct{$macct})) { | 98 if (defined($systemacct{$macct})) { |
99 check_add_hit($mip, $mdate, "SSH system account bruteforce", $macct, 13, $settings{"CHK_SYSACCT_SSH_PWD"}); | 99 check_add_hit($mip, $mdate, "SSH system account bruteforce", $macct, 13, $settings{"CHK_SYSACCT_SSH_PWD"}); |
100 } | 100 } |
101 } | 101 } |