Rudi Ahlers wrote: > lucian at lastdot.org wrote: >> On Tue, 22 Jul 2008 16:34:54 +0200 >> Rudi Ahlers <Rudi at SoftDux.com> wrote: >> >>> Bowie Bailey wrote: >>>> Bo Lynch wrote: >>>>> just wanted to get some feedback from the community. Over the last >>>>> few days I have noticed my web server and email box have attempted >>>>> to ssh'd to using weird names like admin,appuser,nobody,etc.... >>>>> None of these are valid users. I know that I can block sshd all >>>>> together with iptables but that will not work for us. I did a >>>>> little research on google and found programs like sshguard and >>>>> sshdfilter. Just wanted to know if anyone had any experience with >>>>> anything like these programs or have any other advice. I really >>>>> appreciate it. >>>> The simplest thing is to change the port. I know it's "security >>>> through obscurity", but it works well and can be used along with >>>> whatever other security enhancements you care to use. >>>> >>> By changing the ports on all our servers to a high (above 1024) port, >>> we have eliminated SSH scans altogether - been running like that for >>> a few years now without any problems. >>> >>> I also add a small script in /etc/profile to email me when someone >>> logs in via SSH, since only a few privileged ppl should use SSH >>> altogether >>> >> >> Interesting idea with this script thing. Can you provide more details or >> the script? >> _______________________________________________ > Yea, it's simple :) > > > > echo 'SSH (localhost.localdomain) on:' `date` `who` | mail -s "Alert: > Access from `who | cut -d"(" -f2 | cut -d")" -f1`" xxxxx at yyy.com > OK. A chance to learn some more for me. Is there a 'best' placement for this script in /etc/profile? Is localhost.localdomain a placeholder here for foo.bar.com?