Re: status: hints on how to check your machine forintrusion

From: gmack
Date: Mon Oct 03 2011 - 05:56:53 EST

> Date: Sat, 01 Oct 2011 14:45:38 -0400
> From: Steven Rostedt <rostedt@xxxxxxxxxxx>
> To: David Miller <davem@xxxxxxxxxxxxx>
> Cc: w@xxxxxx, greg@xxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx
> Subject: Re: status: hints on how to check your machine for
> intrusion
> On Sat, 2011-10-01 at 14:40 -0400, Steven Rostedt wrote:
> > OK, I decided to attach the perl script anyway. It is very crude, and
> > really needs to be cleaned up for generic use.
> >
> I've just been pointed to:
> This looks like something similar.
> You see, the reason I posted this tool is because I was sure people will
> point me to better ones that do the same thing (and more!) ;)

The nice thing about fail2ban is that you can use it to montitor other
ports since many bots are now doing ftp/smtp sasl/imap/imaps/pop3/pop3s
scans to find system accounts and then use the result for an ssh login.

As a warning though, at least on debian the SMTP SASL regex is non
functional and I haven't had time to work out a working one so hopefully
if someone has one it would be helpful. A fix for this is doubly important
since the SASL package has a memory leak on failed login that they have
known about for at least 3 years but haven't bothered fixing. A scanning
bot can take up several gigs of memory in about an hour.


Gerhard Mack


<>< As a computer, I find your faith in technology amusing.
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at