removing a Linux Keylogger

Bob BLU blu at scrunch.net
Mon Jul 25 15:48:01 EDT 2005


At 02:29 PM 7/25/2005, Don Levey wrote:
>Dan wrote:
>
>iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
>-j LOG --log-level WARN --log-prefix REJECT-SSH --log-ip-options
>
>Should allow me to log this also?

This is already being logged by sshd in /var/log/secure:

        Illegal user guest from 218.21.129.102

I like that iptables solution.

My current solution is to use tcp wrappers to allow access only to select addresses (may not meet your needs.)

Alternatively have ssh listen on an different port. Security through obscurity, but it keeps the simple script attacks at bay.

Always use AllowUsers (or AllowGroups).  It not, then at least DenyUsers root.




More information about the Discuss mailing list