Reply to post: Re: To catch this malware ...

ACHTUNG! Scary Linux system backdoor turns boxes into DDoS droids

Colin Miller

Re: To catch this malware ...

You can also use fail2ban.

This is a small script that monitors your logs, for N occurrences of regexp X in Y seconds, from the same IP number.. If this is reached, then it carries out an action, and a second action after Z seconds.

By default it monitors /var/log/auth.log, looking for ssh login failures (either wrong password, or non-existent/no-login user). If this occurs 5 times in 10 minutes, then it will invoke iptables to block all incoming traffic from that IP number to your ssh server, and then automatically unban it 10 minutes later. It can also be set to email you an alert.

It is possible to have it monitor itself, so if the same IP address gets banned 5 times in a day, they get a week's ban (tweak to your inner BOFH's content).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019