[–] parnellsUprising 0 points 1 points (+1|-0) ago 

Why don’t you use an open source HIDS like ossec, and modify the rules if need be? Worse comes to worse, just use fail2ban

[–] veriodd [S] 0 points 0 points (+0|-0) ago  (edited ago)

Sweet, good advice, it's working good. I assume I have to manually enable some actions, but it's much easier than watching logfiles!

This guy is hitting all angles:

[Tue Jun 12 16:35:24.396912 2018] [proxy:warn] [pid 26766] [client] AH01144: No protocol handler was valid for the URL If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.

Damn. So now I can use this to automatically update blacklists and get more pre-emptive?

** Alert 1528839189.1451: - pam,syslog,authentication_failed,
2018 Jun 12 16:33:09 veriodd->/var/log/auth.log
Rule: 5503 (level 5) -> 'User login failed.'
Src IP:
Jun 12 16:33:09 veriodd sshd[28744]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=

** Alert 1528839191.1768: - syslog,sshd,invalid_login,authentication_failed,
2018 Jun 12 16:33:11 veriodd->/var/log/auth.log
Rule: 5710 (level 5) -> 'Attempt to login using a non-existent user'
Src IP:
Jun 12 16:33:11 veriodd sshd[28744]: Failed password for invalid user temp from port 58832 ssh2

** Alert 1528839354.2095: - syslog,sshd,invalid_login,authentication_failed,

This is ridiculous.

[–] parnellsUprising 0 points 1 points (+1|-0) ago 

Not sure which one you setup, but I would imagine fail2ban. At any rate, then you can perform an iptables -L, and that will show you exactly the rules that are being triggered. If you are not seeing anything, you may need to go through your config files in /etc/fail2ban , just make sure that if you are making changes to use the jail.local file, as the other will be overwritten upon system updates.

BTW, while ossec is a lot harder in the beginning, it is a lot more efficient when you figure out how to generate your own rules when you get hit by something more than the usual script kiddies.

[–] veriodd [S] 0 points 0 points (+0|-0) ago 

This looks very promising. It's running now we'll see what it can do.

First "Strategic Partner" listed is Amazon Web Services. Can't escape the signal!