On Mon, May 12, 2008 at 6:10 PM, Steve Holdoway <[EMAIL PROTECTED]> wrote: > ... it must be school holidays or something, as I'm currently getting > thousands of brute force ssh breakin attempts on my servers in the US. It may > be worth checking the logs of any of your servers that have port 22 open, if > you don't already.
All my servers have port 22 open; there's nothing worse than forgetting that you've moved a well-known service to some alternative port! On the other hand, they all have a reasonably strict sshd config -- keys only, named users only (no root), and the worst effect of brute force attacks is the growth in log files, which is dealt with by deploying denyhosts -- three strikes and you're out, for a week. (fail2ban is an alternative, I'm sure there are more). Now all I see is logcheck telling me about a few crack attempts, followed by denyhosts dropping their traffic and svn checking in the alterations to the hosts.deny file. One status update (emailed, because I don't have an event correlation service set up yet), that serves as a positive confirmation the system is operating. -jim
