On Thu, 14 Oct 2004 17:18:07 +0300, Andrey Andreev <[email protected]> wrote: > Greg Lobring wrote: > > On Thu, 14 Oct 2004 08:33:34 -0500, Allan R. Batteiger <[email protected]> wrote: > > > >>Yes my logs reflect about 100 attempts a day from various IP addresses. > >> So far I have been sending complaints to the admin of the domains the > >>attempts come from. I have received positive responses from a couple of > >>them since they were ISPs and do not condone this type of behavior. I > >>generally grep the secure log file and send that to the admin of the > >>domain. Of course all of the "standard" lock down precautions have been > >>taken on my server. > > > > > > For those of us not so savvy, can you tell me where those logs are > > located and what they are named so I can see if I am experiencing the > > same? Also, what are the "standard" lock down precautions to be taken? > > > On my FC2 they are > > /var/log/secure > /var/log/secure.1 > /var/log/secure.2 > /var/log/secure.3 > /var/log/secure.4 > > The one with no extension being the most recent, and /var/log/secure.4 > being the oldest. > > "standard" lock down precautions would include setting up a firewall, > disabling all unneeded services, limiting access by ssh only to users > who need it (no root), and keeping your software up to date (watch the > fedora-announce list, particularly for things marked with [SECURITY], > and run yum update or equivalent often enough). You may want to install > Tripwire, Snort, etc to use as an IDS. chkrootkit comes handy if you > have a reason to suspect a breakin. > > Just stuff off the top of my head, probably there's more. > > Greets, > > //Andro > > -- As for limiting ssh access only to those who need it, how would that be done and how can I restrict on IP and user? I've found this page http://doc.trustix.org/cgi-bin/trustixdoc.cgi?Restrict_SSH_Per_User which explains about allowing only certain users. It's cool. Now, what would be the user/ip combi approach?