[root@centos ~]# vi /etc/swatch/secure.confソス@ソスソスソス@/var/log/secureソスト趣ソスソスpソスン抵ソスtソス@ソスCソスソスソス成
# logfile /var/log/secure
# ソスAソスNソスZソスXソスソスソスソスソスツホソスXソスgソスソスソスソスソスSSHソスソスソスOソスCソスソスソスソスソスsソスソスソスソスソスmソスソスソスソスソスソスYソスソスソスzソスXソスgソスソスソスソスフアソスNソスZソスXソスソス24ソスソスソスヤ規ソスソス
# (Jan 23 19:50:37 centos sshd[15862]: refused connect from xxxxxxxxx (XXX.XXX.XXX.XXX))
# ソスソス/etc/hosts.denyソスA/etc/hosts.allowソスナアソスNソスZソスXソスソスソスツホソスXソスgソス制鯉ソスソスソスソストゑソスソス驍アソスニゑソスソスOソスソス
watchfor /sshd.*refused/
pipe "/usr/local/bin/swatch_action.sh '\\\\(|\\\\)' 2 block"
threshold track_by=/sshd.*refused/,type=limit,count=1,seconds=10
# ソスAソスNソスZソスXソスソスソスツホソスXソスgソスソスソスソスフソスソス[ソスUソス[ソスソスソスソスソスノゑソスソスSSHソスソスソスOソスCソスソスソスソスソスsソスソス3ソス検知ソスソスソス驍イソスニに該ソスソスソスzソスXソスgソスソスソスソスフアソスNソスZソスXソスソス24ソスソスソスヤ規ソスソス
# (Feb 2 17:51:26 centos sshd[6982]: Failed password for invalid user xxxxxxxx from XXX.XXX.XXX.XXX port 34464 ssh2)
watchfor /sshd.*Failed password for invalid user/
pipe "/usr/local/bin/swatch_action.sh ' ' 13"
threshold track_by=/sshd.*Failed password for invalid user/,type=limit,count=3,seconds=10
# ソスAソスNソスZソスXソスソスソスツホソスXソスgソスソスソスソスフパソスXソスソスソス[ソスhソスソスソスノゑソスソスSSHソスソスソスOソスCソスソスソスソスソスsソスソス3ソス検知ソスソスソス驍イソスニに該ソスソスソスzソスXソスgソスソスソスソスフアソスNソスZソスXソスソス24ソスソスソスヤ規ソスソス
# (Jan 28 04:56:56 centos sshd[1849]: Failed password for root from XXX.XXX.XXX.XXX port 56558 ssh2)
watchfor /sshd.*Failed password for/
pipe "/usr/local/bin/swatch_action.sh ' ' 11"
threshold track_by=/sshd.*Failed password for/,type=limit,count=3,seconds=10
# ソスAソスNソスZソスXソスソスソスツホソスXソスgソスソスソスソスソスDovecotソスソスソスOソスCソスソスソスソスソスsソスソス3ソス検知ソスソスソス驍イソスニに該ソスソスソスzソスXソスgソスソスソスソスフアソスNソスZソスXソスソス24ソスソスソスヤ規ソスソス
# (Jan 28 05:16:20 centos auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=xxxxxxxx rhost=XXX.XXX.XXX.XXX)
# ソスソスソスソスソス[ソスソスソスTソス[ソスoソス[ソス\ソスzソスマでゑソスソス驍アソスソス
watchfor /auth: pam_unix\(dovecot:auth\): authentication failure/
pipe "/usr/local/bin/swatch_action.sh '=' 7"
threshold track_by=/auth: pam_unix\(dovecot:auth\): authentication failure/,type=limit,count=3,seconds=10
|
|