Mercurial > hg > maltfilter
comparison maltfilter @ 76:4769aad8bd14
Root password bruteforcing check was not always working, fixed.
| author | Matti Hamalainen <ccr@tnsp.org> |
|---|---|
| date | Thu, 27 Aug 2009 21:35:59 +0300 |
| parents | e8fbe7cd65a7 |
| children | 9095db0fad8f |
comparison
equal
deleted
inserted
replaced
| 75:6f3d53ea4245 | 76:4769aad8bd14 |
|---|---|
| 10 use Date::Parse; | 10 use Date::Parse; |
| 11 use Net::IP; | 11 use Net::IP; |
| 12 use Net::DNS; | 12 use Net::DNS; |
| 13 use LWP::UserAgent; | 13 use LWP::UserAgent; |
| 14 | 14 |
| 15 my $progversion = "0.17.1"; | 15 my $progversion = "0.17.2"; |
| 16 my $progbanner = | 16 my $progbanner = |
| 17 "Malicious Attack Livid Termination Filter daemon (maltfilter) v$progversion\n". | 17 "Malicious Attack Livid Termination Filter daemon (maltfilter) v$progversion\n". |
| 18 "Programmed by Matti 'ccr' Hamalainen <ccr\@tnsp.org>\n". | 18 "Programmed by Matti 'ccr' Hamalainen <ccr\@tnsp.org>\n". |
| 19 "(C) Copyright 2009 Tecnic Software productions (TNSP)\n"; | 19 "(C) Copyright 2009 Tecnic Software productions (TNSP)\n"; |
| 20 | 20 |
| 87 # (1.1) Generic login scan attempts | 87 # (1.1) Generic login scan attempts |
| 88 if ($merr =~ /^Failed password for invalid user (\S+) from (\d+\.\d+\.\d+\.\d+)/) { | 88 if ($merr =~ /^Failed password for invalid user (\S+) from (\d+\.\d+\.\d+\.\d+)/) { |
| 89 check_add_hit($2, $mdate, "SSH login scan", "", 13, $settings{"CHK_SSHD"}); | 89 check_add_hit($2, $mdate, "SSH login scan", "", 13, $settings{"CHK_SSHD"}); |
| 90 } | 90 } |
| 91 # (1.2) Root account SSH login password bruteforcing attempts. | 91 # (1.2) Root account SSH login password bruteforcing attempts. |
| 92 elsif (/^Failed password for root from (\d+\.\d+\.\d+\.\d+)/) { | 92 elsif ($merr =~ /^Failed password for root from (\d+\.\d+\.\d+\.\d+)/) { |
| 93 check_add_hit($1, $mdate, "Root SSH password bruteforce", "", 13, $settings{"CHK_ROOT_SSH_PWD"}); | 93 check_add_hit($1, $mdate, "Root SSH password bruteforce", "", 13, $settings{"CHK_ROOT_SSH_PWD"}); |
| 94 } | 94 } |
| 95 # (1.3) System account SSH login password bruteforcing attempts. | 95 # (1.3) System account SSH login password bruteforcing attempts. |
| 96 if ($merr =~ /^Failed password for (\S+) from (\d+\.\d+\.\d+\.\d+)/) { | 96 elsif ($merr =~ /^Failed password for (\S+) from (\d+\.\d+\.\d+\.\d+)/) { |
| 97 my $mip = $2; my $macct = $1; | 97 my $mip = $2; my $macct = $1; |
| 98 if (defined($systemacct{$macct})) { | 98 if (defined($systemacct{$macct})) { |
| 99 check_add_hit($mip, $mdate, "SSH system account bruteforce", $macct, 13, $settings{"CHK_SYSACCT_SSH_PWD"}); | 99 check_add_hit($mip, $mdate, "SSH system account bruteforce", $macct, 13, $settings{"CHK_SYSACCT_SSH_PWD"}); |
| 100 } | 100 } |
| 101 } | 101 } |