USING SWATCH TO DETECT SSH BRUTE FORCE AND DICTIONARY ATTACKS 1. First we must enable remote logging on our DNS server. This is on the DNS server only!!! Do not do this on the NOC server. Add the following to the end of /etc/rsyslog.d/50-default.conf on your DNS server (10.X.1.1) where X = your group number. This will send a copy of all logging info on your DNS server to your NOC at 10.X.2.1 *.* @10.X.2.1 then restart rsyslog. sudo service rsyslog restart If you had a web and/or applications servers you would need to reconfigure their logging systems as well. But lets focus on the current task. 2. On your NOC sudo tail -f /var/log/auth.log then from your laptop log in and out of your DNS server and watch the output on the NOC. You might even try logging in with a few bad account and/or password conbinations. The instructor will run a brute force attack as well as you view the output. 3. Lets try to automate the detection of this using swatch. On your NOC add the following to swatch_authlog.conf. Cut and paste - do not try to hand edit. watchfor /(: [aA]ccepted )(.*)( for )(.*)( from )(.*)( port )(.*)$/ mail=tldadmin@localhost,subject=LOGIN $4 from $6 ($2) watchfor /(: [fF]ailed password for )(.*)( from )(.*)( port )(.*)$/ threshold track_by=$4, type=limit, count=10, seconds=600 mail=tldadmin@localhost,subject=SSH brute force attempt watchfor /(: [iI]nvalid [uU]ser )(.*)( from )(.*)$/ threshold track_by=$4, type=limit, count=10, seconds=600 mail=tldadmin@localhost,subject=SSH dictionary attack Then restart swatch. This may require finding the process ids for the swatch processs first and then killing them and then: sudo swatch -c swatch_authlog.conf --tail-file=/var/log/auth.log --daemon (might try this shell script: sudo kill -9 `ps ax | grep swatch | grep -v grep | awk '{ print $1 }'` to simplify restarting swatch) 4. Run mutt while you create other ssh sessions from your laptop to the DNS and NOC machines. The intsructor may also do a brute force attack. 5. What do you receive?