Alert!!
Dale Sykora
dalen at czexan.net
Thu Sep 16 01:34:16 UTC 2004
Alexander Dalloz wrote:
> Am Do, den 16.09.2004 schrieb Ow Mun Heng um 2:50:
>
>
>>>To prevent to let the script kids find their target on my hosts running
>>>a public available sshd, I changed the listening default port from 22 to
>>>something different.
>>>Comment: this is no security setting,
>>
>>Security by obscurity.. :-)
>
>
> Yes. But you quoted me so unfortunate that one could have the idea I did
> the change for security. That is not the case. If you read my comment
> about this _fully_ you easily see that I never claimed that a security
> change. I did it to get rid of these hack attempts in my logs. For the
> moment this is enough to stop the scripts. When they begin to really
> scan for the ports with SSH behind I will activate portknocking. Not
> because I have insecure passwords in use or do not keep both eyes on
> necessary security updates, but because I do not like to have to go each
> day to hundreds of log file lines caused by wannabee intruders.
>
> Sorry, I felt that was necessary to say that clear. I do not vote for
> "security by obscurity" in any way. (Though your comment Heng, has a
> smiley.)
>
>
>>Ow Mun Heng
>
>
> Alexander
Alexandar,
I want to thank you for all your thougful participation on this list.
Your words or wisdom have helped me on numerous occasions. Do you know
of any SIPTO type program or script? SIPTO (which I just made up) means
Source IP Time Out (think child behavior deterant). It would watch the
logs for admin defined bad behavior from a connecting IP and then
temporarily ban that IP (time-out via iptables) for 15 minutes or so
after 3 occurances in a given time frame. For example, SME server adds
a denylog line to /var/log/messages when an external IP tries to connect
to a closed port. I would like something to watch this 'tail -f?' and
add an iptables rule to drop all connections from this IP address for a
short time frame (extendible if other attemps are made). I would like
this to be generic enough to shut down access to zombies that try and
send viruses thru my email server, or systems that think I run IIS and
look for cmd.com/etc... as well. Someone it the past mentioned an IDS,
but that seems CPU/network intensive. I simple want to watch the logs
and block the bad/zombie machines that tend to fill the logs.
Any suggestions?
Thanks,
Dale
More information about the fedora-list
mailing list