Re: masking out invalid root logins with logcheck?
> From: martin f krafft
> but somehow am not comfortable to just do it, which is why I am
> asking for opinions, advice, and feedback from you guys. Would you
> be able to think of reasons why I would *not* want to do that?
I came up against the same issue some time ago and decided to move my sshd to
a non-standard port. This dramatically reduced the number of log entries,
and I see hardly any login attempts logged. I also updated my snort rules
with the new port. This works for me. I'm also considering setting up a
specific iptables rule to log the ssh hits separately, but there aren't
enough to bother with that so far.
I figure this setup eliminates the automated ssh exploits, which is the bulk
of it. This won't keep someone enterprising cracker from scanning for the
actual port and then attempting exploits, but this should leave more evidence
to the effect.
my 2 cents,
Jeff Coppock Systems Engineer
Diggin' Debian Admin and User