USING SWATCH TO DETECT SSH BRUTE FORCE AND DICTIONARY ATTACKS 1. First we must enable remote logging on out DNS server. Add the following to the end of /etc/rsyslog.d/50-default.conf on your DNS server (10.X.2.2) where X = your group number. This will send a copy of all logging info on your DNS server to your NOC at 10.X.1.2 *.* @10.X.1.2 then restart the sudo service rsyslog restart If you had a web and/or applications servers you would need to reconfigure their logginf systems as well. 2. On your NOC sudo tail -f /var/log/auth.log then from your laptop log in and out of your DNS server and watch the output on the NOC. You might even try logging in with a few bad account and/or password conbinations. The instructor will run a brute force attack as well as you view the output. 3. Lets try to automate the detection of this using swatch. On your NOC add the following to swatch_authlog.conf. Cut and paste - do not try to hand edit. watchfor /(: [aA]ccepted )(.*)( for )(.*)( from )(.*)( port )(.*)$/ mail=tldadmin@localhost,subject=LOGIN $4 from $6 ($2) watchfor /(: [fF]ailed password for )(.*)( from )(.*)( port )(.*)$/ threshold track_by=$4, type=limit, count=10, seconds=600 mail=tldadmin@localhost,subject=SSH brute force attempt watchfor /(: [iI]nvalid [uU]ser )(.*)( from )(.*)$/ threshold track_by=$4, type=limit, count=10, seconds=600 mail=tldadmin@localhost,subject=SSH dictionary attack Then restart swatch. This may require finding the process ids for the swatch processs first and then killing them and then: sudo swatch -c swatch_authlog.conf --tail-file=/var/log/auth.log --daemon (might try this shell script: sudo kill -9 `ps ax | grep swatch | grep -v grep | awk '{ print $1 }'` to simplify restarting swatch) 4. Run mutt while you create other ssh sessions from your laptop to the DNS and NOC machines. The intsructor may also do a brute force attack. 5. What do you receive?