Mandag 16 juli 2007 18:00 skrev joe:
Richard Creighton wrote:
Just about every day, often several times a day, my logs include hours of log entries that look like this:
Jul 16 00:35:25 raid5 sshd[6966]: Invalid user admin from 83.18.244.42
<snip>
My question is what, if any firewall rule could I write that could detect such attacks and automatically shut down forwarding packets from the offending node or domain? That would give me an additional layer of defense as well as freeing up a significant amount of log file space.
I prefer a more simple approach. Rather than adding more firewall rules, I set the sshd allowed_users parameter to the 2 accounts that actually have a reason to log in, and I also limit the IP addresses which will accept an ssh connection using tcp wrappers (hosts.allow, hosts.deny).
Joe
Hi Joe, quote: "sshd allowed_users parameter to the 2 accounts" in what file do you do that? Would that be an additional line in /etc/ssh/sshd_config, 'cause I can't seem to find an empty line like that in my system? -- ------------------------------------------------------------------------- Med venlig hilsen/Best regards Verner Kjærsgaard -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org