[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[no subject]

Was this for Brandon? Trying to follow the thread and it looks like
Brandon needed some hints in what to do.


> Thus spake Randy Ramsdell (rramsdell at adelphia.net):
> 
> > On Thu, 2005-11-24 at 16:22 -0500, Brandon Colbert wrote:
> > > Thanks
> > > 
> > > I got the public/private key working great. Here's my next question.
> > > 
> > > Are the any programs out there besides monitoring the log files "secure 
> > > and messages" to help me monitor SSH for attacks? I guess I need 
> > > something like a HIDS or a HIDS will do.
> > > _______________________________________________
> > > Ale mailing list
> > > Ale at ale.org
&gt; &gt; &gt; <a  rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
&gt; &gt; 
&gt; &gt; To be honest with you, the ssh port 22 will be bombarded by brute force
&gt; &gt; attacks all day everyday. One way to monitor this port is to enable
&gt; &gt; logging from iptables. Just use the -j LOG using the &quot;syn&quot; as a trigger.
&gt; &gt; Also, snort would be useful here along with Acid that will log to a
&gt; &gt; database and select from the database using php. 
&gt; &gt; 
&gt; &gt; My solution, however, was to NOT run on port 22. I run ssh on a non-
&gt; &gt; standard port and haven't had a single connect in 5 years to that port.
&gt; &gt; I still use iptables to log any syn packet however.
&gt; &gt; 
&gt; &gt; Hope this helps.
&gt; &gt; 
&gt; &gt; rcr
&gt; &gt; 
&gt; &gt; _______________________________________________
&gt; &gt; Ale mailing list
&gt; &gt; Ale at ale.org
&gt; &gt; <a  rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
&gt; 
&gt; :wq!
&gt; ---------------------------------------------------------------------------
&gt; Robert L. Harris                     | GPG Key ID: E344DA3B
&gt; 
&gt; DISCLAIMER:
&gt;       These are MY OPINIONS             &quot;We can't solve problems by using
&gt;        ALONE.  I speak for                the same kind of thinking we used
&gt;        no-one else.                         when we created them.&quot;
&gt;                                           - Einstein
&gt; 
&gt; _______________________________________________
&gt; Ale mailing list
&gt; Ale at ale.org
&gt; <a  rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>



</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="00361" href="msg00361.html">[ale] SSH monitoring</a></strong>
<ul><li><em>From:</em> colbert.brandon at gmail.com (Brandon Colbert)</li></ul></li>
<li><strong><a name="00362" href="msg00362.html">[ale] SSH monitoring</a></strong>
<ul><li><em>From:</em> rramsdell at adelphia.net (Randy Ramsdell)</li></ul></li>
<li><strong><a name="00363" href="msg00363.html">[ale] SSH monitoring</a></strong>
<ul><li><em>From:</em> Robert.L.Harris at rdlg.net (Robert L. Harris)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg00363.html">[ale] SSH monitoring</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg00365.html">[ale] SSH keys</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg00363.html">[ale] SSH monitoring</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00366.html">[ale] Free Monitor to a good SUN home</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#00364"><strong>Date</strong></a></li>
<li><a href="threads.html#00364"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>