[nycbug-talk] Audit Solution

[matt at atopia.net]

I just block connections after 3 failed login attempts for an hour. Works nicely. 

If anyone wants the script. I also have one that blocks after 3 attempts whether successful or not in 30 second period that only uses pf. 

------Original Message------
From: Christopher Olsen
To: george at ceetonetechnology.com
To: Matt Juszczak
Cc: talk at lists.nycbug.org
Subject: RE: [nycbug-talk] Audit Solution
Sent: May 19, 2009 18:51

Its funny you mention the zombie attempts my logs get cluttered with failed attempts nothing I worry about I considered moving the port but assumed they would eventually find it. How's the different port working for you?

-Christopher

Ubix Technologies
T: 212-514-6270
C: 516-903-2889
32 Broadway Suite 204
New York, NY 10004
http://www.tuve.tv/mrolsen

-----Original Message-----
From: George Rosamond <george at ceetonetechnology.com>
Sent: Tuesday, May 19, 2009 6:46 PM
To: Matt Juszczak <matt at atopia.net>
Cc: Christopher Olsen <cwolsen at ubixos.com>; talk at lists.nycbug.org
Subject: Re: [nycbug-talk] Audit Solution

Matt Juszczak wrote:
>> How many servers are you managing? One of my techs mentioned something I 
>> forget the name but it merely parsed for key words I was looking for 
>> something a bit more robust.
> 
> About 60.
> 
> Are you talking about swatch?

or logwatch. . .

Personally, I get a bunch of dailies, etc., not to mention cron job 
outputs that I want to see, like statuses of RAIDs, outputs of 
portaudit, etc.

I read everything in the am, and quickly scan for glaring problems.

Which is why I don't run sshd on 22. . . since if there's no firewall, 
you get the zombie attempts filling up the email and miss what you need 
to know.  But that's another discussion :)

We've had this discussion before offlist, and if someone has the golden 
answer, well, let us know.

g