On Thu, 14 Oct 2004 08:33:34 -0500, Allan R. Batteiger <arb@xxxxxxxx> wrote:
Yes my logs reflect about 100 attempts a day from various IP addresses. So far I have been sending complaints to the admin of the domains the attempts come from. I have received positive responses from a couple of them since they were ISPs and do not condone this type of behavior. I generally grep the secure log file and send that to the admin of the domain. Of course all of the "standard" lock down precautions have been taken on my server.
For those of us not so savvy, can you tell me where those logs are located and what they are named so I can see if I am experiencing the same? Also, what are the "standard" lock down precautions to be taken?
On my FC2 they are
/var/log/secure /var/log/secure.1 /var/log/secure.2 /var/log/secure.3 /var/log/secure.4
The one with no extension being the most recent, and /var/log/secure.4 being the oldest.
"standard" lock down precautions would include setting up a firewall, disabling all unneeded services, limiting access by ssh only to users who need it (no root), and keeping your software up to date (watch the fedora-announce list, particularly for things marked with [SECURITY], and run yum update or equivalent often enough). You may want to install Tripwire, Snort, etc to use as an IDS. chkrootkit comes handy if you have a reason to suspect a breakin.
Just stuff off the top of my head, probably there's more.
Greets,
//Andro
-- Andrey Andreev University of Helsinki Dept. of Computer Science
