Re: More SSH 'trolling'

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Greg Lobring wrote:
On Thu, 14 Oct 2004 08:33:34 -0500, Allan R. Batteiger <arb@xxxxxxxx> wrote:

Yes my logs reflect about 100 attempts a day from various IP addresses.
So far I have been sending complaints to the admin of the domains the
attempts come from.  I have received positive responses from a couple of
them since they were ISPs and do not condone this type of behavior.  I
generally grep the secure log file and send that to the admin of the
domain.  Of course all of the "standard" lock down precautions have been
taken on my server.


For those of us not so savvy, can you tell me where those logs are
located and what they are named so I can see if I am experiencing the
same? Also, what are the "standard" lock down precautions to be taken?

On my FC2 they are

/var/log/secure
/var/log/secure.1
/var/log/secure.2
/var/log/secure.3
/var/log/secure.4

The one with no extension being the most recent, and /var/log/secure.4 being the oldest.

"standard" lock down precautions would include setting up a firewall, disabling all unneeded services, limiting access by ssh only to users who need it (no root), and keeping your software up to date (watch the fedora-announce list, particularly for things marked with [SECURITY], and run yum update or equivalent often enough). You may want to install Tripwire, Snort, etc to use as an IDS. chkrootkit comes handy if you have a reason to suspect a breakin.

Just stuff off the top of my head, probably there's more.

Greets,

//Andro

--
Andrey Andreev
University of Helsinki
Dept. of Computer Science


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux