auth.log showing attempted access
Felipe Figueiredo
philsf79 at gmail.com
Wed Aug 15 15:47:53 UTC 2007
On Wednesday 15 August 2007 10:29:19 Miano, Steven M. wrote:
> >
> >
>
> Unfortunately this is part of being connected to the internet. The
suggestions already given are a great start. I too use fail2ban, as well as
iptables, and moved the port from 22 to 2222. They can still scan and find
your ssh ports though - however, it will dramatically reduce the amount of
knocks your receiving on that box. I would definitely double check and make
sure that you have only the required shell accounts listed in your allow
file, and root disabled as a login through ssh.
>
> Best of luck mate!
Second that. What I also did, for my home computer (as well as fail2ban) was
to only allow ssh keys authentication, and lock the login availability to a
coulple of users. This way I'm pretty much secure, as long as I can trust the
remote servers where my keys are stored. Since I do trust (I am the admin
them alone) I also enable ssh-agent and disable the knownhosts hashing, so I
can bash-auto-complete hostnames and only type the passphrase once. Security
and practicity.
Concerning the other question, I usually email the abuse addresses available
in whois queries, but don't usually get replies. Good luck. I decided to
black list IPS's ip ranges (also available in the whois query), when I don't
get answers, and attempts get repetitive. I automated this process by a
separate script that loads the IPs/ranges to a particular chain in iptables,
and flush it frequentely and re-add everything, without disrupting the
ordinary rules. It's easy and functional, so I recommend you do.
Also, take a look in fwlogwatch and other NIDS' that can create block rules
based on network activity, together with fail2ban that blocks based on log
activity.
regards
FF
More information about the ubuntu-users
mailing list