| 1 |
On Sunday 07 November 2004 07:16 am, Gary Nichols wrote: |
| 2 |
> Brian, |
| 3 |
> |
| 4 |
> Is there a reason that you have to run ssh on the default port of 22? |
| 5 |
> I haven't run ssh on port 22 in years due to all the menacing kiddies |
| 6 |
> out there with their scripts. |
| 7 |
> I know this doesn't answer your question, but just a suggestion. |
| 8 |
|
| 9 |
Yes, I frequently travel to and work from client companies with very |
| 10 |
restrictive outbound firewalls. Port 22 (and port 8080) are (usually) open |
| 11 |
on those firewalls, so my servers listen for ssh connections on those ports. |
| 12 |
|
| 13 |
ssh on my machines is also configured to only allow key-based authentication, |
| 14 |
only certain users are allowed to ssh into my boxen remotely from external |
| 15 |
IP's, etc..., so this script is *not* really a threat to me. |
| 16 |
|
| 17 |
I just want to shut it down before it totally litters my logs, if possible, |
| 18 |
and also perhaps help out people who don't have sshd as locked down as I do. |
| 19 |
|
| 20 |
The Gentoo forum thread here: |
| 21 |
http://forums.gentoo.org/viewtopic.php?t=210585 |
| 22 |
and here: |
| 23 |
http://forums.gentoo.org/viewtopic.php?t=210585&postdays=0&postorder=asc&start=36 |
| 24 |
talks about using iptables to detect port scans, which is what I use |
| 25 |
portsentry for. However, in most cases this script isn't doing a port scan, |
| 26 |
just attacking on port 22. |
| 27 |
|
| 28 |
> On Nov 7, 2004, at 6:10 AM, Brian G. Peterson wrote: |
| 29 |
> > Can anyone help me out with a simple log scanning script that could |
| 30 |
> > detect the |
| 31 |
> > 'illegal user xxx' strings in /var/log/secure and issue the |
| 32 |
> > "/sbin/iptables -I INPUT -s 221.232.128.2 -j DROP" command to shut |
| 33 |
> > these addresses down. |
| 34 |
|
| 35 |
Regards, |
| 36 |
|
| 37 |
- Brian |
| 38 |
|
| 39 |
-- |
| 40 |
gentoo-security@g.o mailing list |
Archives