More SSH 'trolling'

Andrey Andreev andreev at cs.helsinki.fi
Thu Oct 14 14:18:07 UTC 2004


Greg Lobring wrote:
> On Thu, 14 Oct 2004 08:33:34 -0500, Allan R. Batteiger <arb at rtsi.com> wrote:
> 
>>Yes my logs reflect about 100 attempts a day from various IP addresses.
>> So far I have been sending complaints to the admin of the domains the
>>attempts come from.  I have received positive responses from a couple of
>>them since they were ISPs and do not condone this type of behavior.  I
>>generally grep the secure log file and send that to the admin of the
>>domain.  Of course all of the "standard" lock down precautions have been
>>taken on my server.
> 
> 
> For those of us not so savvy, can you tell me where those logs are
> located and what they are named so I can see if I am experiencing the
> same? Also, what are the "standard" lock down precautions to be taken?
> 
On my FC2 they are

/var/log/secure
/var/log/secure.1
/var/log/secure.2
/var/log/secure.3
/var/log/secure.4

The one with no extension being the most recent, and /var/log/secure.4 
being the oldest.

"standard" lock down precautions would include setting up a firewall, 
disabling all unneeded services, limiting access by ssh only to users 
who need it (no root), and keeping your software up to date (watch the 
fedora-announce list, particularly for things marked with [SECURITY], 
and run yum update or equivalent often enough). You may want to install 
Tripwire, Snort, etc to use as an IDS. chkrootkit comes handy if you 
have a reason to suspect a breakin.

Just stuff off the top of my head, probably there's more.

Greets,

//Andro

-- 
Andrey Andreev
University of Helsinki
Dept. of Computer Science




More information about the users mailing list