Email me when attack occurs

J_L · n00b Joined: 11 Sep 2006 Posts: 68 Location: Gothenburg

Hi all!

I've been googeling a while for an answer for my question but I only found very complex solutions to my problem...
I went trough my logfiles recently and discovered a signifficant increase in bruteforceattemts on my box, ssh that is.
I'm working on a script that will email me every time my sshd-server blocks an IP. But I don't know anything about MTA or qmail or stuff like that... How do I achive my goals EASILY?

elgato319 · Guru Joined: 15 Sep 2005 Posts: 546

i use denyhosts (app-admin/denyhosts) to block bruteforce attempts. i works really well.

a nice feature is that you can recieve an email if a new ip has been blocked.

denyhosts.conf

JeliJami · Veteran Joined: 17 Jan 2006 Posts: 1086 Location: Belgium

fail2ban can do something similar

J_L · n00b Joined: 11 Sep 2006 Posts: 68 Location: Gothenburg

i have installed it following the guide at http://gentoo-wiki.com/HOWTO_Protect_SSHD_with_DenyHosts
of course i tryed it,that means that i tryed to see if it worked(i connected with wrong usernames and it denyed my ip)
but now i can't connect anymore with my laptop locally(connected to my access point) because the ip of my laptop is blacklisted
i tryed to remove it from hosts.deny but it keeps adding it
i tryed to purge my list but it didn't work
what should i try now

That's actually a qoute from another guy but the same problem goes for me now :oops:

pele_smk · Posted: Thu Dec 07, 2006 5:47 am Post subject:

Hmm...first I have to chuckle; now I can be serious. I've been using denyhosts for a while and tested it in the same manner as you(test it with my own machine) I did just as you did and removed myself from the hosts.deny file and was back on.

The reason denyhosts is adding you back into the hosts.deny file is because the log file denyhosts is running against is still finding your ip. Go do some hacker clean up and remove your info from your logs and denyhosts "should" stop blacklisting you.
_________________
AMD64 3000+
Chaintech ZNF3-150
Chaintech ti4200 SE
WD 120gb && Maxtor 250gb && Maxtor 250gb,
Lite-On DVD+-RW
Coolermaster ATC-210
Thermalright slk & Tornado 92mm
It's still hot......

J_L · n00b Joined: 11 Sep 2006 Posts: 68 Location: Gothenburg

"Go do some hacker clean up and remove your info from your logs and denyhosts "should" stop blacklisting you."

What log files would this be? I've already tried to remove my entire /var/log/messages and that did not work

pele_smk · Posted: Thu Dec 07, 2006 4:06 pm Post subject:

off the bat I was thinking var/log/messages is what denyhosts looks at, but look into what log file denyhosts is actually referring to.
_________________
AMD64 3000+
Chaintech ZNF3-150
Chaintech ti4200 SE
WD 120gb && Maxtor 250gb && Maxtor 250gb,
Lite-On DVD+-RW
Coolermaster ATC-210
Thermalright slk & Tornado 92mm
It's still hot......

elgato319 · Guru Joined: 15 Sep 2005 Posts: 546

you can go to:

/var/lib/denyhosts

and add your ip/hostname to: allowed-hosts

maybe this will help too

rockier · n00b Joined: 01 Jan 2005 Posts: 19

The denyhosts enter has changed to this

http://en.gentoo-wiki.com/wiki/DenyHosts