Am Do, den 16.09.2004 schrieb Ow Mun Heng um 2:50:
To prevent to let the script kids find their target on my hosts running
a public available sshd, I changed the listening default port from 22 to
something different.
Comment: this is no security setting,
Security by obscurity.. :-)
Yes. But you quoted me so unfortunate that one could have the idea I did the change for security. That is not the case. If you read my comment about this _fully_ you easily see that I never claimed that a security change. I did it to get rid of these hack attempts in my logs. For the moment this is enough to stop the scripts. When they begin to really scan for the ports with SSH behind I will activate portknocking. Not because I have insecure passwords in use or do not keep both eyes on necessary security updates, but because I do not like to have to go each day to hundreds of log file lines caused by wannabee intruders.
Sorry, I felt that was necessary to say that clear. I do not vote for "security by obscurity" in any way. (Though your comment Heng, has a smiley.)
Ow Mun Heng
Alexander
Alexandar,
I want to thank you for all your thougful participation on this list. Your words or wisdom have helped me on numerous occasions. Do you know of any SIPTO type program or script? SIPTO (which I just made up) means Source IP Time Out (think child behavior deterant). It would watch the logs for admin defined bad behavior from a connecting IP and then temporarily ban that IP (time-out via iptables) for 15 minutes or so after 3 occurances in a given time frame. For example, SME server adds a denylog line to /var/log/messages when an external IP tries to connect to a closed port. I would like something to watch this 'tail -f?' and add an iptables rule to drop all connections from this IP address for a short time frame (extendible if other attemps are made). I would like this to be generic enough to shut down access to zombies that try and send viruses thru my email server, or systems that think I run IIS and look for cmd.com/etc... as well. Someone it the past mentioned an IDS, but that seems CPU/network intensive. I simple want to watch the logs and block the bad/zombie machines that tend to fill the logs.
Any suggestions?
Thanks,
Dale
