[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: masking out invalid root logins with logcheck?

> From: martin f krafft
> but somehow am not comfortable to just do it, which is why I am
> asking for opinions, advice, and feedback from you guys. Would you
> be able to think of reasons why I would *not* want to do that?

I came up against the same issue some time ago and decided to move my sshd to 
a non-standard port.  This dramatically reduced the number of log entries, 
and I see hardly any login attempts logged.  I also updated my snort rules 
with the new port.  This works for me.  I'm also considering setting up a 
specific iptables rule to log the ssh hits separately, but there aren't 
enough to bother with that so far.

I figure this setup eliminates the automated ssh exploits, which is the bulk 
of it.  This won't keep someone enterprising cracker from scanning for the 
actual port and then attempting exploits, but this should leave more evidence 
to the effect.  

my 2 cents,

Jeff Coppock            Systems Engineer
Diggin' Debian          Admin and User

Reply to: