[Snort-users] alert logging of non local lan SSH connections.
travis5765 at ...125...
Tue Sep 18 08:00:03 EDT 2001
Ok, here's the deal. My server sits in a closet allong with some other
network equipment. this way it's out of the way. Now rather than pulling up
a chair in the closet every time i need to do something, i use SSH.
Lately i have been getting hundreds of hits a day to my telnet server. I
figured it must be a script kiddy as not many people can type random logins
that fast. I don't use telnet so i simply shut down the service. Now that
port 23 is out of the question, the script kiddy has decided to try my SSH
port. all the connections are from remote ip addresses and each connection
is a new address (obviously spoofing).
How do i setup an alert to log remote SSH connections (just the headers and
possibly the username used if possible).
Any thoughts? comments? rants?
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
More information about the Snort-users