what do you use the machines for? if there are no services that require general access eg a web or mail server, you can use hosts.allow and hosts.deny to basically deny everything other than what is in the hosts.allow file. you could add some general C class block (or B class) to hosts.allow
if you're really interested you can add a line like to hosts.deny ALL: ALL: spawn (/bin/echo -e "%d %a %c %s from %h at `date`" |/usr/bin/mail -s 'LOGIN ATTEMPT %h %a' [EMAIL PROTECTED])& which basically emails you a log each time someone tries to connect. the connections will always fail unless they are coming from an IP from within an IP or IP range specified in hosts.allow regards, brett On Thursday 30 December 2004 13:01, Voytek wrote: > I just looked through some logs, and, see a lot of attempted access like: > > # grep "illegal user" secure > Dec 29 10:10:11 koala sshd[20080]: input_userauth_request: illegal user > jane Dec 29 10:10:14 koala sshd[20080]: Failed password for illegal user > jane from 20 > 3.42.32.89 port 56720 ssh2 > Dec 29 10:10:15 koala sshd[20083]: input_userauth_request: illegal user > jane Dec 29 10:10:16 koala sshd[20085]: input_userauth_request: illegal > user pamela > Dec 29 10:10:18 koala sshd[20083]: Failed password for illegal user jane > from 20 > 3.42.32.89 port 56825 ssh2 > Dec 29 10:10:18 koala sshd[20085]: Failed password for illegal user pamela > from > 203.42.32.89 port 56842 ssh2 > Dec 29 10:10:20 koala sshd[20088]: input_userauth_request: illegal user > pamela > Dec 29 10:10:22 koala sshd[20088]: Failed password for illegal user pamela > from > 203.42.32.89 port 56898 ssh2 > Dec 29 22:52:18 koala sshd[944]: input_userauth_request: illegal user test > Dec 29 22:52:21 koala sshd[944]: Failed password for illegal user test > from 213. > 149.114.51 port 59211 ssh2 > Dec 30 10:48:10 koala sshd[30110]: input_userauth_request: illegal user > test Dec 30 10:48:10 koala sshd[30109]: input_userauth_request: illegal > user test Dec 30 10:48:14 koala sshd[30109]: Failed password for illegal > user test from 64 > .174.136.250 port 2399 ssh2 > Dec 30 10:48:14 koala sshd[30110]: Failed password for illegal user test > from 64 > .174.136.250 port 2401 ssh2 > Dec 30 10:48:22 koala sshd[30111]: input_userauth_request: illegal user > guest Dec 30 10:48:24 koala sshd[30111]: Failed password for illegal user > guest from 6 > 4.174.136.250 port 2433 ssh2 > > what should I do to increase security ? > > 99% of the time, I'm the sole user accessing via ssh, ocassionally, I > temporarily allow someone else. > 80% of the time, I ssh from a fixed IP, rest of the time, I ssh from > several Aussie ISP dislups/adsl > > is it worthwile to scan logs and block these ips temporarily ? > > is it easy to add such IPs to my ipchains ? > > > > > -- > Voytek -- Brett Fenton NetRegistry Pty Ltd _______________________________________________ http://www.netregistry.com.au/ Tel: +61 2 96996099 | Fax: +61 2 96996088 PO Box 270 Broadway | NSW 2007, Australia Your Total Internet Business Services Provider Trusted by 10,000s of Oz Businesses Since 1997 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
