Back to the NoNox main page

Pattern & Action Library

This is a collection of user-submitted patterns and actions for NoNox.
To contribute to this library, send detailed information following the examples below, to: nonox-patterns@cr-labs.com
To use this library, look for a problem you're having, and a log file entry that looks like the entries in your log files. Put the pattern and action into the nonox.conf file.

SSH dictionary attack
OS: Red Hat Linux
Log file: /var/log/secure
Example log entries
 Dec 2 23:15:59 zero sshd[21297]: Failed password for illegal user test from 218.233.70.200 port 58564 ssh2
 Dec 2 23:16:04 zero sshd[21299]: Failed password for illegal user guest from 218.233.70.200 port 58695 ssh2
 Dec 2 23:16:08 zero sshd[21301]: Failed password for illegal user admin from 218.233.70.200 port 58812 ssh2
  
NoNox pattern to detect this log entry
pattern sshd_login_fail /var/log/secure (^.*?:\d\d:\d\d).*?Failed password.*?from\s.*?(\d+?\.\d+?\.\d+?\.\d+).*
 
NoNox action to respond to this log entry
This action adds a rule to iptables, to drop packets from the host that is making the login attempts
Trigger condition: 4 log entries within 1800 seconds (30 minutes)
 action sshd_login_fail 4 1800 /sbin/iptables -A INPUT --source %s -j DROP

SSH dictionary attack
OS: Red Hat Linux
Log file: /var/log/secure
Example log entries
 Dec 2 16:45:54 localhost sshd[15042]: Failed password for invalid user staff from ::ffff:59.120.206.3 port 39155 ssh2
 Dec 2 16:45:59 localhost sshd[15046]: Failed password for invalid user sales from ::ffff:59.120.206.3 port 39333 ssh2
 Dec 2 16:46:04 localhost sshd[15048]: Failed password for invalid user recruit from ::ffff:59.120.206.3 port 39501 ssh2
  
NoNox pattern to detect this log entry
pattern sshd_login_fail /var/log/secure (^.*?:\d\d:\d\d)\D.*Failed password.*?from\s::ffff:(\d+?\.\d+?\.\d+?\.\d+).*
 
NoNox action to respond to this log entry
This action adds a rule to iptables, to drop packets from the host that is making the login attempts
Trigger condition: 4 log entries within 1800 seconds (30 minutes)
 action sshd_login_fail 4 1800 /sbin/iptables -A INPUT --source %s -j DROP

Challenge/Response, LLC creates security and privacy software to support safe, private e-ecommerce transactions and to detect and reduce online fraud.