On Tue, Nov 12, 2013 at 4:52 PM, Sam Moats <s...@circlenet.us> wrote: > We used to use a small perl script called tattle that would parse out the > /var/log/secure on our *nix boxes, isolate the inbound ssh exploits, lookup > the proper abuse contacts and report them. I haven't seen anything similar > in years but it would be interesting to do more than null route IPs. > > The problem we had with the automated reporting was dealing with spoofed > sources, we see lots of traffic that is obviously hostile but unless it > becomes serious enough to impact performance we rarely report it. An > automated system didn't seem to fit anymore due to false positives.
Hi Sam, Out of curiosity -- how does one get a false positive on an ssh exploit attempt? Does the origin IP not have to complete a 3-way handshake before it can attempt an exploit? Regards, Bill Herrin -- William D. Herrin ................ her...@dirtside.com b...@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
