Find brute-forced destination ports

Find all destination ports used by TCP brute-force attacks on a server:

zgrep firewall /var/log/syslog*|python -c "import sys;[sys.stdout.write(word + '\n') for line in sys.stdin for word in line.split() if word.startswith('DPT=')]"|sort -n -t= -k 2|uniq -c   

The above assumes that you log all stray TCP packets to /var/log/syslog with the prefix 'firewall', which can be done with this iptables rule:

iptables -A INPUT -m limit --limit 200/hour --limit-burst 50 -j LOG --log-level warning --log-prefix firewall:

Keine Kommentare: