[ale] SSH monitoring

Randy Ramsdell rramsdell at adelphia.net
Thu Nov 24 19:06:04 EST 2005


On Thu, 2005-11-24 at 16:22 -0500, Brandon Colbert wrote:
> Thanks
> 
> I got the public/private key working great. Here's my next question.
> 
> Are the any programs out there besides monitoring the log files "secure 
> and messages" to help me monitor SSH for attacks? I guess I need 
> something like a HIDS or a HIDS will do.
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale

To be honest with you, the ssh port 22 will be bombarded by brute force
attacks all day everyday. One way to monitor this port is to enable
logging from iptables. Just use the -j LOG using the "syn" as a trigger.
Also, snort would be useful here along with Acid that will log to a
database and select from the database using php. 

My solution, however, was to NOT run on port 22. I run ssh on a non-
standard port and haven't had a single connect in 5 years to that port.
I still use iptables to log any syn packet however.

Hope this helps.

rcr




More information about the Ale mailing list