Alert!!

Dale Sykora dalen at czexan.net
Thu Sep 16 01:34:16 UTC 2004 

Alexander Dalloz wrote:
> Am Do, den 16.09.2004 schrieb Ow Mun Heng um 2:50:
> 
> 
>>>To prevent to let the script kids find their target on my hosts running
>>>a public available sshd, I changed the listening default port from 22 to
>>>something different.
>>>Comment: this is no security setting, 
>>
>>Security by obscurity.. :-)
> 
> 
> Yes. But you quoted me so unfortunate that one could have the idea I did
> the change for security. That is not the case. If you read my comment
> about this _fully_ you easily see that I never claimed that a security
> change. I did it to get rid of these hack attempts in my logs. For the
> moment this is enough to stop the scripts. When they begin to really
> scan for the ports with SSH behind I will activate portknocking. Not
> because I have insecure passwords in use or do not keep both eyes on
> necessary security updates, but because I do not like to have to go each
> day to hundreds of log file lines caused by wannabee intruders.
> 
> Sorry, I felt that was necessary to say that clear. I do not vote for
> "security by obscurity" in any way. (Though your comment Heng, has a
> smiley.)
> 
> 
>>Ow Mun Heng
> 
> 
> Alexander

Alexandar,
	I want to thank you for all your thougful participation on this list. 
Your words or wisdom have helped me on numerous occasions.  Do you know 
of any SIPTO type program or script?  SIPTO (which I just made up) means 
Source IP Time Out (think child behavior deterant).  It would watch the 
logs for admin defined bad behavior from a connecting IP and then 
temporarily ban that IP (time-out via iptables) for 15 minutes or so 
after 3 occurances in a given time frame.  For example, SME server adds 
a denylog line to /var/log/messages when an external IP tries to connect 
to a closed port.  I would like something to watch this 'tail -f?' and 
add an iptables rule to drop all connections from this IP address for a 
short time frame (extendible if other attemps are made).  I would like 
this to be generic enough to shut down access to zombies that try and 
send viruses thru my email server, or systems that think I run IIS and 
look for cmd.com/etc... as well.  Someone it the past mentioned an IDS, 
but that seems CPU/network intensive.  I simple want to watch the logs 
and block the bad/zombie machines that tend to fill the logs.
Any suggestions?

Thanks,

Dale

More information about the fedora-list mailing list