|
From: | Mike Jackson |
Subject: | Re: Log files monitoring |
Date: | Thu, 5 May 2005 08:12:58 -0700 |
I have it watching /var/log/auth.log on my FreeBSD box and adding packet filter rules to block hosts that try to log in via SSH as root or test.[...]I don't catch this... it's much more efficient to simply disable root loginsfrom SSH: PermitRootLogin=off or use tcp wrappers :-)
root logins are already turned off, but bad attempts are still logged. tcpwrappers don't really work in this application because the people who would be connecting to the box via SSH don't necessarily have fixed IPs (or consistent netblocks). I noticed that a root login attempt is usually attempted at the start of a dictionary attack, so it stops them cold (and means I don't have to look at pages of failed logins in my report email every morning). I have a couple other swatch rules that look for other common dictionary attack usernames and block them. It's crude, but effective (meaning it does what I want).
[Prev in Thread] | Current Thread | [Next in Thread] |