Robert Moskowitz wrote: > Rudi Ahlers wrote: >> lucian at lastdot.org wrote: >>> On Tue, 22 Jul 2008 16:34:54 +0200 >>> Rudi Ahlers <Rudi at SoftDux.com> wrote: >>> >>>> Bowie Bailey wrote: >>>>> Bo Lynch wrote: >>>>>> just wanted to get some feedback from the community. Over the last >>>>>> few days I have noticed my web server and email box have attempted >>>>>> to ssh'd to using weird names like admin,appuser,nobody,etc.... >>>>>> None of these are valid users. I know that I can block sshd all >>>>>> together with iptables but that will not work for us. I did a >>>>>> little research on google and found programs like sshguard and >>>>>> sshdfilter. Just wanted to know if anyone had any experience with >>>>>> anything like these programs or have any other advice. I really >>>>>> appreciate it. >>>>> The simplest thing is to change the port. I know it's "security >>>>> through obscurity", but it works well and can be used along with >>>>> whatever other security enhancements you care to use. >>>>> >>>> By changing the ports on all our servers to a high (above 1024) port, >>>> we have eliminated SSH scans altogether - been running like that for >>>> a few years now without any problems. >>>> >>>> I also add a small script in /etc/profile to email me when someone >>>> logs in via SSH, since only a few privileged ppl should use SSH >>>> altogether >>>> >>> >>> Interesting idea with this script thing. Can you provide more >>> details or >>> the script? >>> _______________________________________________ >> Yea, it's simple :) >> >> >> >> echo 'SSH (localhost.localdomain) on:' `date` `who` | mail -s "Alert: >> Access from `who | cut -d"(" -f2 | cut -d")" -f1`" xxxxx at yyy.com >> > OK. A chance to learn some more for me. > > Is there a 'best' placement for this script in /etc/profile? Is > localhost.localdomain a placeholder here for foo.bar.com? > > > _______________________________________________ I put stuff like that right at the end, and localhost.localdomain is basically the server's name, from where I copied this script, so replace that with my.linux.server.com - or whatever -- Kind Regards Rudi Ahlers Check out my technical blog, http://blog.softdux.com for Linux or other technical stuff