From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: From: Anatoliy Lisjutin Organization: RGANTD To: ALT Linux sysadmin discuss Date: Fri, 10 Mar 2006 11:13:04 +0300 User-Agent: KMail/1.8.1 References: <20060308120445.2E41A5492@smtp.umc.ua> <20060309103547.3ccc04af@shadow.orionagro.com.ua> In-Reply-To: <20060309103547.3ccc04af@shadow.orionagro.com.ua> MIME-Version: 1.0 Content-Type: Multipart/Mixed; boundary="Boundary-00=_QUTEEjlw1wOWn7D" Message-Id: <200603101113.04480.SilverFox@rgantd.ru> X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on main.rgantd.ru X-Spam-Level: X-Spam-Status: No, score=-103.5 required=7.0 tests=ALL_TRUSTED,AWL,BAYES_50, USER_IN_WHITELIST autolearn=ham version=3.0.4 Subject: Re: [Sysadmins] Snort rules X-BeenThere: sysadmins@lists.altlinux.org X-Mailman-Version: 2.1.6 Precedence: list Reply-To: ALT Linux sysadmin discuss List-Id: ALT Linux sysadmin discuss List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Mar 2006 08:13:27 -0000 Archived-At: List-Archive: --Boundary-00=_QUTEEjlw1wOWn7D Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: base64 Content-Disposition: inline +sTSwdfT1NfVytTFIQr3INPPz8Ldxc7JySDP1CD+xdTXxdLHIDA5IO3B0tQgMjAwNiAxMTozNSBE bWl0cml5IEwuIEtydWdsaWtvdiDOwdDJ08HMKGEpOgo+IE9uIFdlZCwgMDggTWFyIDIwMDYgMTk6 NDk6NDggKzA3MDAKPiDtzsUgwtkgyM/UxczP09gg0MnTwdTYINDSwdfJzMEg1yBpcHRhYmxlcywg wSBCbG9ja0hvc3RzCj4g0MnbxdQg1yBob3N0cy5kZW55IC4uLgo+Cj4g4SDEzNEg1M/Hzywg3tTP wtkg09LBws/UwczJINrB0NLF1Nkg1yBob3N0cy5kZW55IM7V1s7PINXT1MHOz9fJ1NgKPiDTz8XE yc7FzsnFINMg08XS18nTz80gLi4uIOEgzc7FINzUzyDOxSDO0sHXydTT0SAuLi4uCvDP09nMwcAg xNfBINPL0snQ1MEgxMzRIHZzZnRwIMkgc3NoLiDywcLP1MHA1CDQzyDL0s/O1S4g0Mnb1dQg1yBo b3N0cy5kZW55LCAKzs8gx8zB187PxSDT0MnTz8sgxMHA1CAsIMEg0NLB18nMzyDQzyDT0MnTy9Ug wcTSxdPP1yDOwdLV28nUxczFyiDXz9TLztXU2CAK1yBpcHRhYmxlcyAgzsUg0NLPwszFzcEg0NLJ INzUz80gLCDOwcTPIM7Fzc7P1svPIMnazcXOydTYIMvPzsXeztXAIN7B09TYLi4K7tUg1M8gxdPU 2CDXzcXU09TPINPU0s/ey8kgICBlY2hvIC1lbiAiQUxMOiAiJGkgIlx0IyBBZGRlZCBieSBydy4u LiAK18/Uy87V1Ngg0NLB18nMzyBpcHRhYmxlcyAsIMfExSBJUCDazM/X0sXEzs/HzyDJ09TP3s7J y8EgICRpLgrpzMkg0SDOxSDEz8fPztHAIN7Uzy3Uzz8gIAotLSAKV2l0aCBteSBiZXN0IHJlZ2Fy ZHMgdG8geW91ICEhCmh0dHA6Ly9ydXNhcmNoaXZlcy5ydSBodHRwOi8vcmdhbnRkLnJ1IGh0dHA6 Ly92aWN0b3J5LnJ1c2FyY2hpdmVzLnJ1ClNpbHZlckZveEByZ2FudGQucnUK --Boundary-00=_QUTEEjlw1wOWn7D Content-Type: text/plain; charset="koi8-r"; name="rwsecure" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="rwsecure" # # rwsecure parses the /var/log/auth/all file for Invalid usernames or # Failed password. If more than 3 invalid or failed attempts by one # IP, it will add that IP to your /etc/hosts.deny file. # file=`awk '/Invalid|Failed password/' /var/log/auth/all | sed s/.*from./""/ | sed s/port.*/""/| awk '{print $1}' | sort | uniq -c | sort -n | awk '{if ($1>15){print $2}else{}}'` for i in $file do x=`grep $i /etc/hosts.deny | sed 's/.#.*//'` if [ "$x" ] then y=0 else echo -en "ALL: "$i "\t# Added by rwsecure on "`date | awk '{print $2 " " $3 " " $4 " " $6}'`"\n" >> /etc/hosts.deny fi done --Boundary-00=_QUTEEjlw1wOWn7D Content-Type: text/plain; charset="koi8-r"; name="ftpsecure" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="ftpsecure" # # rwsecure parses the /var/log/auth/all file for Invalid usernames or # Failed password. If more than 3 invalid or failed attempts by one # IP, it will add that IP to your /etc/hosts.deny file. # file=`awk '/FAIL LOGIN/' /var/log/vsftpd.log | sed s/.*Client\ \"/""/ | sed s/\"/""/ | awk '{print $1}' | sort | uniq -c | sort -n | awk '{if ($1>15){print $2}else{}}'` for i in $file do x=`grep $i /etc/hosts.deny | sed 's/.#.*//'` if [ "$x" ] then y=0 else echo -en "ALL: "$i "\t# Added by ftpsecure on "`date | awk '{print $2 " " $3 " " $4 " " $6}'`"\n" >> /etc/hosts.deny fi done --Boundary-00=_QUTEEjlw1wOWn7D--