Re: [opensuse] Results of moving ssh to a high port - Zero script kiddies in a 24 hour period.



* David C. Rankin <drankinatty@xxxxxxxxxxxxxxxxxx> [Nov 27. 2008 08:30]:
16:36 nirvana~/linux/boxes/bonza/log> wc -l < 20081121.log
5353

After the change:

16:37 nirvana~/linux/boxes/bonza/log> wc -l < 20081125.log
294

Less than 300 entries in the logs in _total_ for an entire 24 hour period. If
you have similar issues, and your real user needs can be accommodated on a high
port, I highly recommend it.

Another approach is one I use after I found it on the DragonFlyBSD list.
Have an entry to send everything from the auth log into a seperate
program scanning for invalid user logins. If one such is
found--blacklist it. After a while it stops and you don't have to inform
all users about port number change.

--
Mads Martin Joergensen, http://mmj.dk
"Why make things difficult, when it is possible to make them cryptic
and totally illogical, with just a little bit more effort?"
-- A. P. J.
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx



Relevant Pages

  • Re: Exchange Reverse Lookup on Port 137?
    ... After working on this with Marina we concluded that these entries in my logs ... were probably caused by my stupid mistake to try and install the Ms Firewall ... It has been removed and the entries are now gone. ... >> Port 137 has a package block. ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: Strange WAN Activity
    ... > firewall logs for a possible TCP FIN scan that keeps ... > company's intranet server IP and its port 80 across our ... > My firewall is a Sonicwall Pro 200 and I'm running W2K ... It's difficult to be sure without inspecting the web server for signs of ...
    (microsoft.public.win2000.security)
  • Re: Identifying Internet Attacks
    ... contain the hacker to a particular machine, leave the machine on the network ... Some firewall software such as ... open ports; however, this will not identify which program is using the port. ... firewall logs, the IIS web and ftp server logs and Windows security event ...
    (microsoft.public.inetserver.iis.security)
  • Re: Question about file permissions
    ... system log files. ... the system logs. ... such _may_ offer a better chance of connecting. ... to connect know about the non-standard port. ...
    (alt.os.linux.suse)
  • Re: false portscan alarm
    ... What is the reason of that treffic? ... and the browser and/or the "personal firewall" had decided to close those ... which each have a local source port above 1024 opened outgoing to port 80 ... I've had a dig through my own PIX logs, and while there is nothing for today ...
    (comp.security.firewalls)