More SSH 'trolling'
Andrey Andreev
andreev at cs.helsinki.fi
Thu Oct 14 14:18:07 UTC 2004
Greg Lobring wrote:
> On Thu, 14 Oct 2004 08:33:34 -0500, Allan R. Batteiger <arb at rtsi.com> wrote:
>
>>Yes my logs reflect about 100 attempts a day from various IP addresses.
>> So far I have been sending complaints to the admin of the domains the
>>attempts come from. I have received positive responses from a couple of
>>them since they were ISPs and do not condone this type of behavior. I
>>generally grep the secure log file and send that to the admin of the
>>domain. Of course all of the "standard" lock down precautions have been
>>taken on my server.
>
>
> For those of us not so savvy, can you tell me where those logs are
> located and what they are named so I can see if I am experiencing the
> same? Also, what are the "standard" lock down precautions to be taken?
>
On my FC2 they are
/var/log/secure
/var/log/secure.1
/var/log/secure.2
/var/log/secure.3
/var/log/secure.4
The one with no extension being the most recent, and /var/log/secure.4
being the oldest.
"standard" lock down precautions would include setting up a firewall,
disabling all unneeded services, limiting access by ssh only to users
who need it (no root), and keeping your software up to date (watch the
fedora-announce list, particularly for things marked with [SECURITY],
and run yum update or equivalent often enough). You may want to install
Tripwire, Snort, etc to use as an IDS. chkrootkit comes handy if you
have a reason to suspect a breakin.
Just stuff off the top of my head, probably there's more.
Greets,
//Andro
--
Andrey Andreev
University of Helsinki
Dept. of Computer Science
More information about the fedora-list
mailing list