On Fri, Jan 13, 2006 at 11:53:30AM +1300, Dave van Leeuwen wrote: > > (1) Is there some desktop monitoring utility that will immediately > > notify me of suscpious behaviour? I'm rather disturbed that it's taken > > me 4 days to notice this. > daemonshield runs as a daemon watching sshd logs and pam logs for failed > logins. If these reach a threshold then an IPtables rule blocks the ip > for a given period of time.
DenyHosts is another program doing a similar task, but using tcpwrappers instead of IPtables. It allows you to expire blocked hosts after a few days ... > > (2) Recommendations for log parsing software that monitors suspicious > > logs? > logwatch will pick upthese attempts and also the sucessful ones logcheck will read all the important logs, and filter out everything known to be safe - therefore everything else must be something you need to know about, so it's emailed (by default hourly). Excellent program. > > > (3) Recommended strategies for dealing with break in attempts like this? Block root from ssh, only allow a small userlist, stop using passwords, and use keys instead. -jim
