Automated attack reporting tool

Discussion topics, Linux related - not requests for help

Moderators: ChrisThornett, LXF moderators

Automated attack reporting tool

Postby bobthebob1234 » Fri Nov 26, 2010 1:31 pm

Anybody know of one?

I have logwatch installed on two servers with ssh ruuning on port 22 (I need to run on port 22 cos the uni blocks other ports and won't unblock other ports unless it is for an academic reason.)

I get stuff like this every day from the servers.
Code: Select all
 Didn't receive an ident from these IPs:
   122.255.115.18: 1 Time(s)
   189.114.59.242 (ns2.anpr.org.br): 1 Time(s)
   210.245.23.146 (host-23-xx.hcm.fpt.vn): 1 Time(s)
   221.192.236.114: 1 Time(s)

 Failed logins from:
   67.115.155.230 (67-115-155-230.sfpl.org): 6 times
      root/password: 6 times
   82.103.130.33 (e82-103-130-33s.easyspeedy.com): 3 times
      root/password: 3 times
   109.123.78.123: 5 times
      root/password: 5 times
   210.245.23.146 (host-23-xx.hcm.fpt.vn): 1 time
      root/password: 1 time

 Illegal users from:
   109.123.78.123: 1 time
      oracle: 1 time
   122.255.115.18: 3 times
      ant: 1 time
      office: 1 time
      pc: 1 time
   221.192.236.114: 1 time
      ant: 1 time


So does anyone know of an automated tool to look up info about the ip address and send an email reporting the attack to the valid email for the ip address. I'm currently doing it by hand.

Or is not worth bothering.

Also is there a black list i should be reporting these ip address to?

Thanks
For certain you have to be lost to find the places that can't be found. Elseways, everyone would know where it was
User avatar
bobthebob1234
LXF regular
 
Posts: 1373
Joined: Thu Jan 03, 2008 9:38 pm
Location: A hole in a field

Return to Discussion

Who is online

Users browsing this forum: No registered users and 1 guest

cron