lucian at lastdot.org wrote: > On Tue, 22 Jul 2008 16:34:54 +0200 > Rudi Ahlers <Rudi at SoftDux.com> wrote: > > >> Bowie Bailey wrote: >> >>> Bo Lynch wrote: >>> >>> >>>> just wanted to get some feedback from the community. Over the last >>>> few days I have noticed my web server and email box have attempted >>>> to ssh'd to using weird names like admin,appuser,nobody,etc.... >>>> None of these are valid users. I know that I can block sshd all >>>> together with iptables but that will not work for us. I did a >>>> little research on google and found programs like sshguard and >>>> sshdfilter. Just wanted to know if anyone had any experience with >>>> anything like these programs or have any other advice. I really >>>> appreciate it. >>>> >>> The simplest thing is to change the port. I know it's "security >>> through obscurity", but it works well and can be used along with >>> whatever other security enhancements you care to use. >>> >>> >>> >> By changing the ports on all our servers to a high (above 1024) port, >> we have eliminated SSH scans altogether - been running like that for >> a few years now without any problems. >> >> I also add a small script in /etc/profile to email me when someone >> logs in via SSH, since only a few privileged ppl should use SSH >> altogether >> >> > > Interesting idea with this script thing. Can you provide more details or > the script? > _______________________________________________ > Yea, it's simple :) echo 'SSH (localhost.localdomain) on:' `date` `who` | mail -s "Alert: Access from `who | cut -d"(" -f2 | cut -d")" -f1`" xxxxx at yyy.com -- Kind Regards Rudi Ahlers Check out my technical blog, http://blog.softdux.com for Linux or other technical stuff