More SSH 'trolling'

[Wouter van Vliet]

On Thu, 14 Oct 2004 17:18:07 +0300, Andrey Andreev
<andreev at cs.helsinki.fi> wrote:
> Greg Lobring wrote:
> > On Thu, 14 Oct 2004 08:33:34 -0500, Allan R. Batteiger <arb at rtsi.com> wrote:
> >
> >>Yes my logs reflect about 100 attempts a day from various IP addresses.
> >> So far I have been sending complaints to the admin of the domains the
> >>attempts come from.  I have received positive responses from a couple of
> >>them since they were ISPs and do not condone this type of behavior.  I
> >>generally grep the secure log file and send that to the admin of the
> >>domain.  Of course all of the "standard" lock down precautions have been
> >>taken on my server.
> >
> >
> > For those of us not so savvy, can you tell me where those logs are
> > located and what they are named so I can see if I am experiencing the
> > same? Also, what are the "standard" lock down precautions to be taken?
> > 
> On my FC2 they are
> 
> /var/log/secure
> /var/log/secure.1
> /var/log/secure.2
> /var/log/secure.3
> /var/log/secure.4
> 
> The one with no extension being the most recent, and /var/log/secure.4
> being the oldest.
> 
> "standard" lock down precautions would include setting up a firewall,
> disabling all unneeded services, limiting access by ssh only to users
> who need it (no root), and keeping your software up to date (watch the
> fedora-announce list, particularly for things marked with [SECURITY],
> and run yum update or equivalent often enough). You may want to install
> Tripwire, Snort, etc to use as an IDS. chkrootkit comes handy if you
> have a reason to suspect a breakin.
> 
> Just stuff off the top of my head, probably there's more.
> 
> Greets,
> 
> //Andro
> 
> --

As for limiting ssh access only to those who need it, how would that
be done and how can I restrict on IP and user? I've found this page
http://doc.trustix.org/cgi-bin/trustixdoc.cgi?Restrict_SSH_Per_User
which explains about allowing only certain users. It's cool. Now, what
would be the user/ip combi approach?