[olug] Email a report on SSH
DYNATRON tech
dynatron at gmail.com
Fri Apr 20 19:33:05 UTC 2012
++ for fail2ban
++ for using alternate ports
vi etc/ssh/sshd_config (dont forget to restart service)
On Apr 20, 2012 11:56 AM, "Lou Duchez" <lou at paprikash.com> wrote:
> Fair enough; fail2ban isn't wedded to port 22, so you can reconfigure it
> for a different port.
>
> I wouldn't run SSH on port 22, too much noise to deal with.
>> On Apr 20, 2012 11:22 AM, "Lou Duchez"<lou at paprikash.com> wrote:
>>
>> You probably want to look into Fail2Ban. It monitors your logs for
>>> failed
>>> login attempts from a given IP (usually a certain number in a given
>>> span),
>>> and then responds as you tell it to: it can (temporarily or permanently)
>>> block that IP for port 22, it can send you an E-Mail, it can do both. I
>>> haven't ever tried to make Fail2ban cough up failed login details, but
>>> maybe there's a way to do that.
>>>
>>> I don't consider a server tolerably secure until I've got Fail2Ban going
>>> for SSH, FTP, POP3, IMAP, SMTP, and even SquirrelMail.
>>>
>>> How it works: Fail2Ban monitors the logs you specify and looks for the
>>> regular expressions you specify (not to worry, it comes with a bunch of
>>> examples you can flip on). If it needs to block a port, it adds an entry
>>> to iptables on the fly.
>>>
>>>
>>> Hello,
>>>
>>>> I have set up an SSH tunnel into an Ubuntu 10.10 machine. I disabled
>>>> passwords and only use a private key. I have been using it to proxy my
>>>> web
>>>> traffic securely when I travel. Sometimes you just cant trust any old
>>>> WIFI. Recently my log files have been a little large. the
>>>> /var/log/auth.log file is showing multiple attempts to login. I have
>>>> turned the logging to verbose so I can see what is going on but I am not
>>>> home all of the time. This brings me to the issue.
>>>>
>>>> I have two questions.
>>>>
>>>> 1. I was looking into port security and came across "Knocking". Has
>>>> anyone used "Knocking" to open a port?
>>>>
>>>> 2. Anyone know a good place to get information on the setting it up to
>>>> email me when someone tries to log in? I want to know the originating IP
>>>> address and the password they used. Passwords will all fail but I would
>>>> like to know if someone is foolishly trying to brute force it and where
>>>> they are coming from. I would like an email sent to me each time it
>>>> happens. I did find a couple sites detailing a way to email when
>>>> someone
>>>> logs in, but I am more interested in finding out when someone fails.
>>>>
>>>> Any info you could pass on would be great.
>>>> Thanks,
>>>> David
>>>> ______________________________****_________________
>>>> OLUG mailing list
>>>> OLUG at olug.org
>>>> https://lists.olug.org/****mailman/listinfo/olug<https://lists.olug.org/**mailman/listinfo/olug>
>>>> <https://**lists.olug.org/mailman/**listinfo/olug<https://lists.olug.org/mailman/listinfo/olug>
>>>> >
>>>>
>>>> ______________________________****_________________
>>> OLUG mailing list
>>> OLUG at olug.org
>>> https://lists.olug.org/****mailman/listinfo/olug<https://lists.olug.org/**mailman/listinfo/olug>
>>> <https://**lists.olug.org/mailman/**listinfo/olug<https://lists.olug.org/mailman/listinfo/olug>
>>> >
>>>
>>> ______________________________**_________________
>> OLUG mailing list
>> OLUG at olug.org
>> https://lists.olug.org/**mailman/listinfo/olug<https://lists.olug.org/mailman/listinfo/olug>
>>
>
> ______________________________**_________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/**mailman/listinfo/olug<https://lists.olug.org/mailman/listinfo/olug>
>
More information about the OLUG
mailing list