More SSH 'trolling'
Wouter van Vliet
wouter.van.vliet at gmail.com
Thu Oct 14 14:32:58 UTC 2004
On Thu, 14 Oct 2004 17:18:07 +0300, Andrey Andreev
<andreev at cs.helsinki.fi> wrote:
> Greg Lobring wrote:
> > On Thu, 14 Oct 2004 08:33:34 -0500, Allan R. Batteiger <arb at rtsi.com> wrote:
> >
> >>Yes my logs reflect about 100 attempts a day from various IP addresses.
> >> So far I have been sending complaints to the admin of the domains the
> >>attempts come from. I have received positive responses from a couple of
> >>them since they were ISPs and do not condone this type of behavior. I
> >>generally grep the secure log file and send that to the admin of the
> >>domain. Of course all of the "standard" lock down precautions have been
> >>taken on my server.
> >
> >
> > For those of us not so savvy, can you tell me where those logs are
> > located and what they are named so I can see if I am experiencing the
> > same? Also, what are the "standard" lock down precautions to be taken?
> >
> On my FC2 they are
>
> /var/log/secure
> /var/log/secure.1
> /var/log/secure.2
> /var/log/secure.3
> /var/log/secure.4
>
> The one with no extension being the most recent, and /var/log/secure.4
> being the oldest.
>
> "standard" lock down precautions would include setting up a firewall,
> disabling all unneeded services, limiting access by ssh only to users
> who need it (no root), and keeping your software up to date (watch the
> fedora-announce list, particularly for things marked with [SECURITY],
> and run yum update or equivalent often enough). You may want to install
> Tripwire, Snort, etc to use as an IDS. chkrootkit comes handy if you
> have a reason to suspect a breakin.
>
> Just stuff off the top of my head, probably there's more.
>
> Greets,
>
> //Andro
>
> --
As for limiting ssh access only to those who need it, how would that
be done and how can I restrict on IP and user? I've found this page
http://doc.trustix.org/cgi-bin/trustixdoc.cgi?Restrict_SSH_Per_User
which explains about allowing only certain users. It's cool. Now, what
would be the user/ip combi approach?
More information about the fedora-list
mailing list