Re: kernel.org status: hints on how to check your machine forintrusion

[gmack]

> Date: Sat, 01 Oct 2011 14:45:38 -0400
> From: Steven Rostedt <rostedt@xxxxxxxxxxx>
> To: David Miller <davem@xxxxxxxxxxxxx>
> Cc: w@xxxxxx, greg@xxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx
> Subject: Re: kernel.org status: hints on how to check your machine for
>     intrusion
> 
> On Sat, 2011-10-01 at 14:40 -0400, Steven Rostedt wrote:
> > OK, I decided to attach the perl script anyway. It is very crude, and
> > really needs to be cleaned up for generic use.
> > 
> 
> I've just been pointed to:
> 
> http://www.fail2ban.org/wiki/index.php/Main_Page
> 
> This looks like something similar.
> 
> You see, the reason I posted this tool is because I was sure people will
> point me to better ones that do the same thing (and more!)   ;)
> 

The nice thing about fail2ban is that you can use it to montitor other 
ports since many bots are now doing ftp/smtp sasl/imap/imaps/pop3/pop3s 
scans to find system accounts and then use the result for an ssh login.

As a warning though, at least on debian the SMTP SASL regex is non 
functional and I haven't had time to work out a working one so hopefully 
if someone has one it would be helpful. A fix for this is doubly important 
since the SASL package has a memory leak on failed login that they have 
known about for at least 3 years but haven't bothered fixing.  A scanning 
bot can take up several gigs of memory in about an hour.

	Gerhard


--
Gerhard Mack

gmack@xxxxxxxxxxxxx

<>< As a computer, I find your faith in technology amusing.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/