Hello, I personally use key authentication along with DenyUsers and AllowUsers directives from sshd. One more thing i do regarding ssh brute force is to make use of the max-src-conn and max-src-conn-rate from pf firewall.
My auth logs look like: Nov 14 11:15:36 xxx sshd[3570]: User root from 211.55.48.179 not allowed because not listed in AllowUsers Nov 14 11:15:38 xxx sshd[3572]: Invalid user admin from 211.55.48.179 Nov 14 11:15:41 xxx sshd[3574]: Invalid user test from 211.55.48.179 Nov 14 11:15:44 xxx sshd[3576]: User root from 211.55.48.179 not allowed because not listed in AllowUsers Nov 14 11:15:46 xxx sshd[3578]: Invalid user ghost from 211.55.48.179 Five tries from the above ip and if unsuccessful it gets overloaded in a table and all the states originating from that ip are killed. All the servers i have are web/mail ones, none of them is used for users, so i don't know if this is a good approach but i wrote it to help make an idea about it. a great day, v On Sat, Nov 15, 2008 at 5:00 AM, Lisa Casey <[EMAIL PROTECTED]> wrote: > > > On Fri, 14 Nov 2008, Tom Marchand wrote: > >> Or michael is vacationing in Romania. > > Very odd. Sigh, Michael is not vacationing in Romania. Doubt he's ever been > there. I got rid of the michael account (it wasn't used anyway), and > downloaded a new copy of chkrootkit, installed it and ran it along with > chklastlog and chkwtmp. Nothing was found. Pehaps this was a harmless enough > prank? Anything else I ought to look at? Fortunately the michael account did > not have te ability to su to root. > > Lisa > > _______________________________________________ > [email protected] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
