1 |
On Sunday 07 November 2004 07:16 am, Gary Nichols wrote: |
2 |
> Brian, |
3 |
> |
4 |
> Is there a reason that you have to run ssh on the default port of 22? |
5 |
> I haven't run ssh on port 22 in years due to all the menacing kiddies |
6 |
> out there with their scripts. |
7 |
> I know this doesn't answer your question, but just a suggestion. |
8 |
|
9 |
Yes, I frequently travel to and work from client companies with very |
10 |
restrictive outbound firewalls. Port 22 (and port 8080) are (usually) open |
11 |
on those firewalls, so my servers listen for ssh connections on those ports. |
12 |
|
13 |
ssh on my machines is also configured to only allow key-based authentication, |
14 |
only certain users are allowed to ssh into my boxen remotely from external |
15 |
IP's, etc..., so this script is *not* really a threat to me. |
16 |
|
17 |
I just want to shut it down before it totally litters my logs, if possible, |
18 |
and also perhaps help out people who don't have sshd as locked down as I do. |
19 |
|
20 |
The Gentoo forum thread here: |
21 |
http://forums.gentoo.org/viewtopic.php?t=210585 |
22 |
and here: |
23 |
http://forums.gentoo.org/viewtopic.php?t=210585&postdays=0&postorder=asc&start=36 |
24 |
talks about using iptables to detect port scans, which is what I use |
25 |
portsentry for. However, in most cases this script isn't doing a port scan, |
26 |
just attacking on port 22. |
27 |
|
28 |
> On Nov 7, 2004, at 6:10 AM, Brian G. Peterson wrote: |
29 |
> > Can anyone help me out with a simple log scanning script that could |
30 |
> > detect the |
31 |
> > 'illegal user xxx' strings in /var/log/secure and issue the |
32 |
> > "/sbin/iptables -I INPUT -s 221.232.128.2 -j DROP" command to shut |
33 |
> > these addresses down. |
34 |
|
35 |
Regards, |
36 |
|
37 |
- Brian |
38 |
|
39 |
-- |
40 |
gentoo-security@g.o mailing list |