[olug] Email a report on SSH

Sam Flint harmonicnm7h at gmail.com
Fri Apr 20 20:05:26 UTC 2012


just use a vpn

On Fri, Apr 20, 2012 at 2:33 PM, DYNATRON tech <dynatron at gmail.com> wrote:
> ++ for fail2ban
> ++ for using alternate ports
> vi etc/ssh/sshd_config (dont forget to restart service)
> On Apr 20, 2012 11:56 AM, "Lou Duchez" <lou at paprikash.com> wrote:
>
>> Fair enough; fail2ban isn't wedded to port 22, so you can reconfigure it
>> for a different port.
>>
>>  I wouldn't run SSH on port 22, too much noise to deal with.
>>> On Apr 20, 2012 11:22 AM, "Lou Duchez"<lou at paprikash.com>  wrote:
>>>
>>>  You probably want to look into Fail2Ban.  It monitors your logs for
>>>> failed
>>>> login attempts from a given IP (usually a certain number in a given
>>>> span),
>>>> and then responds as you tell it to: it can (temporarily or permanently)
>>>> block that IP for port 22, it can send you an E-Mail, it can do both.  I
>>>> haven't ever tried to make Fail2ban cough up failed login details, but
>>>> maybe there's a way to do that.
>>>>
>>>> I don't consider a server tolerably secure until I've got Fail2Ban going
>>>> for SSH, FTP, POP3, IMAP, SMTP, and even SquirrelMail.
>>>>
>>>> How it works: Fail2Ban monitors the logs you specify and looks for the
>>>> regular expressions you specify (not to worry, it comes with a bunch of
>>>> examples you can flip on).  If it needs to block a port, it adds an entry
>>>> to iptables on the fly.
>>>>
>>>>
>>>>  Hello,
>>>>
>>>>> I have set up an SSH tunnel into an Ubuntu 10.10 machine.  I disabled
>>>>> passwords and only use a private key.  I have been using it to proxy my
>>>>> web
>>>>> traffic securely when I travel.  Sometimes you just cant trust any old
>>>>> WIFI.    Recently my log files have been a little large.  the
>>>>> /var/log/auth.log file is showing multiple attempts to login.  I have
>>>>> turned the logging to verbose so I can see what is going on but I am not
>>>>> home all of the time.  This brings me to the issue.
>>>>>
>>>>> I have two questions.
>>>>>
>>>>> 1.  I was looking into port security and came across "Knocking".  Has
>>>>> anyone used "Knocking" to open a port?
>>>>>
>>>>> 2.  Anyone know a good place to get information on the setting it up to
>>>>> email me when someone tries to log in? I want to know the originating IP
>>>>> address and the password they used.  Passwords will all fail but I would
>>>>> like to know if someone is foolishly trying to brute force it and where
>>>>> they are coming from.  I would like an email sent to me each time it
>>>>> happens.  I did find a couple sites detailing a way to email when
>>>>> someone
>>>>> logs in, but I am more interested in finding out when someone fails.
>>>>>
>>>>> Any info you could pass on would be great.
>>>>> Thanks,
>>>>> David
>>>>> ______________________________****_________________
>>>>> OLUG mailing list
>>>>> OLUG at olug.org
>>>>> https://lists.olug.org/****mailman/listinfo/olug<https://lists.olug.org/**mailman/listinfo/olug>
>>>>> <https://**lists.olug.org/mailman/**listinfo/olug<https://lists.olug.org/mailman/listinfo/olug>
>>>>> >
>>>>>
>>>>>  ______________________________****_________________
>>>> OLUG mailing list
>>>> OLUG at olug.org
>>>> https://lists.olug.org/****mailman/listinfo/olug<https://lists.olug.org/**mailman/listinfo/olug>
>>>> <https://**lists.olug.org/mailman/**listinfo/olug<https://lists.olug.org/mailman/listinfo/olug>
>>>> >
>>>>
>>>>  ______________________________**_________________
>>> OLUG mailing list
>>> OLUG at olug.org
>>> https://lists.olug.org/**mailman/listinfo/olug<https://lists.olug.org/mailman/listinfo/olug>
>>>
>>
>> ______________________________**_________________
>> OLUG mailing list
>> OLUG at olug.org
>> https://lists.olug.org/**mailman/listinfo/olug<https://lists.olug.org/mailman/listinfo/olug>
>>
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug



-- 
Sam Flint
flintfam.org/~swflint



More information about the OLUG mailing list