[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: masking out invalid root logins with logcheck?

Hash: SHA1

Jeff Coppock wrote:
>> From: martin f krafft
>> but somehow am not comfortable to just do it, which is why I am
>> asking for opinions, advice, and feedback from you guys. Would you
>> be able to think of reasons why I would *not* want to do that?
> I came up against the same issue some time ago and decided to move my sshd to 
> a non-standard port.  This dramatically reduced the number of log entries, 
> and I see hardly any login attempts logged.  I also updated my snort rules 
> with the new port.  This works for me.  I'm also considering setting up a 
> specific iptables rule to log the ssh hits separately, but there aren't 
> enough to bother with that so far.
> I figure this setup eliminates the automated ssh exploits, which is the bulk 
> of it.  This won't keep someone enterprising cracker from scanning for the 
> actual port and then attempting exploits, but this should leave more evidence 
> to the effect.  

I disabled the ping service. Since most automated exploits check if the
IP is up-and-running by pinging it, this eliminates a lot of stress -
and it is not unusual in that all normal applications will run smoothly,
default settings (i.e. port, etc) will work.

my 2 cents :)

Máté Soós

Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


Reply to: