Re: masking out invalid root logins with logcheck?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jeff Coppock wrote:
>> From: martin f krafft
>>
>> but somehow am not comfortable to just do it, which is why I am
>> asking for opinions, advice, and feedback from you guys. Would you
>> be able to think of reasons why I would *not* want to do that?
>
> I came up against the same issue some time ago and decided to move my sshd to
> a non-standard port. This dramatically reduced the number of log entries,
> and I see hardly any login attempts logged. I also updated my snort rules
> with the new port. This works for me. I'm also considering setting up a
> specific iptables rule to log the ssh hits separately, but there aren't
> enough to bother with that so far.
>
> I figure this setup eliminates the automated ssh exploits, which is the bulk
> of it. This won't keep someone enterprising cracker from scanning for the
> actual port and then attempting exploits, but this should leave more evidence
> to the effect.
I disabled the ping service. Since most automated exploits check if the
IP is up-and-running by pinging it, this eliminates a lot of stress -
and it is not unusual in that all normal applications will run smoothly,
default settings (i.e. port, etc) will work.
my 2 cents :)
Máté Soós
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFEXwMMuXopCweTRxMRAvy/AJ9S171CgRGdIgZIdkFB6Y5sgu3M/QCfX1TX
E4dmKi8C7ATbLIBHSURDcec=
=njsT
-----END PGP SIGNATURE-----
Reply to: