monit-general
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Log files monitoring

From: Mike Jackson
Subject: Re: Log files monitoring
Date: Thu, 5 May 2005 08:12:58 -0700 
I have it watching /var/log/auth.log on my FreeBSD box and adding packet
filter rules to block hosts that try to log in via SSH as root or test.

[...]
I don't catch this... it's much more efficient to simply disable root logins 
from SSH:

PermitRootLogin=off

or use tcp wrappers :-)
root logins are already turned off, but bad attempts are still logged. tcpwrappers don't really work in this application because the people who would be connecting to the box via SSH don't necessarily have fixed IPs (or consistent netblocks). I noticed that a root login attempt is usually attempted at the start of a dictionary attack, so it stops them cold (and means I don't have to look at pages of failed logins in my report email every morning). I have a couple other swatch rules that look for other common dictionary attack usernames and block them. It's crude, but effective (meaning it does what I want).
reply via email to
[Prev in Thread] Current Thread [Next in Thread]