[Snort-users] alert logging of non local lan SSH connections.

Travis Farmer travis5765 at ...125...
Tue Sep 18 08:00:03 EDT 2001


Ok, here's the deal. My server sits in a closet allong with some other 
network equipment. this way it's out of the way. Now rather than pulling up 
a chair in the closet every time i need to do something, i use SSH.
Lately i have been getting hundreds of hits a day to my telnet server. I 
figured it must be a script kiddy as not many people can type random logins 
that fast. I don't use telnet so i simply shut down the service. Now that 
port 23 is out of the question, the script kiddy has decided to try my SSH 
port. all the connections are from remote ip addresses and each connection 
is a new address (obviously spoofing).

How do i setup an alert to log remote SSH connections (just the headers and 
possibly the username used if possible).

Any thoughts? comments? rants?

~Travis

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp





More information about the Snort-users mailing list