[olug] Email a report on SSH

Lou Duchez lou at paprikash.com
Fri Apr 20 16:22:11 UTC 2012 

You probably want to look into Fail2Ban.  It monitors your logs for 
failed login attempts from a given IP (usually a certain number in a 
given span), and then responds as you tell it to: it can (temporarily or 
permanently) block that IP for port 22, it can send you an E-Mail, it 
can do both.  I haven't ever tried to make Fail2ban cough up failed 
login details, but maybe there's a way to do that.

I don't consider a server tolerably secure until I've got Fail2Ban going 
for SSH, FTP, POP3, IMAP, SMTP, and even SquirrelMail.

How it works: Fail2Ban monitors the logs you specify and looks for the 
regular expressions you specify (not to worry, it comes with a bunch of 
examples you can flip on).  If it needs to block a port, it adds an 
entry to iptables on the fly.


> Hello,
> I have set up an SSH tunnel into an Ubuntu 10.10 machine.  I disabled
> passwords and only use a private key.  I have been using it to proxy my web
> traffic securely when I travel.  Sometimes you just cant trust any old
> WIFI.    Recently my log files have been a little large.  the
> /var/log/auth.log file is showing multiple attempts to login.  I have
> turned the logging to verbose so I can see what is going on but I am not
> home all of the time.  This brings me to the issue.
>
> I have two questions.
>
> 1.  I was looking into port security and came across "Knocking".  Has
> anyone used "Knocking" to open a port?
>
> 2.  Anyone know a good place to get information on the setting it up to
> email me when someone tries to log in? I want to know the originating IP
> address and the password they used.  Passwords will all fail but I would
> like to know if someone is foolishly trying to brute force it and where
> they are coming from.  I would like an email sent to me each time it
> happens.  I did find a couple sites detailing a way to email when someone
> logs in, but I am more interested in finding out when someone fails.
>
> Any info you could pass on would be great.
> Thanks,
> David
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug

More information about the OLUG mailing list