USING SWATCH TO DETECT SSH BRUTE FORCE AND DICTIONARY ATTACKS

1. Since SSHD already complains in the /var/log/auth.log file, all we need to do is look at it for now:

	NOC-TLDX> sudo tail -f /var/log/auth.log

	... while the attack is being run ...

2. Now, we will use SWATCH + syslog-ng:

   Add the following rules to /etc/swatch.conf:

# Invalid SSH Login Attempts
watchfor /(: [iI]nvalid [uU]ser )(.*)( from )(.*)$/
        threshold track_by=$4, type=limit, count=10, seconds=600
        mail=monitoring,subject=SSH dictionary attack

watchfor /(: [fF]ailed password for )(.*)( from )(.*)( port )(.*)$/
        threshold track_by=$4, type=limit, count=10, seconds=600
        mail=monitoring,subject=SSH brute force attempt

   Then restart swatch:
	NOC-TLDX> sudo kill -9 `ps ax | grep swatch | grep -v grep | awk '{ print $1 }'`
    
	NOC-TLDX> sudo swatch -c /etc/swatch.conf --tail-file=/var/log/everything --daemon

   Now make sure swatch is running:

	NOC-TLDX> ps ax | grep -i swatch

   If swatch is running, you should see a line like:

	12274 ?        Ss     0:00 /usr/bin/swatch -c /etc/swatch.conf --tail-file=/var/log/everything --daemon

Now, let's see what happens when the attack is run again.