I am using ubuntu 10.04.I want to get an alert when someone tries to access my sytem.For example if someone access my system as an ssh user i want to get an alert in my system.How to get this type of alerts?
Asked
Active
Viewed 993 times
2 Answers
2
fail2ban is probably the one tool you'll want for this. It works by parsing the logs of popular services (ssh, apache, etc) and looking for login failures.
When it finds a certain number of failures (ie if it sees somebody trying to brute-force their way in over SSH) it can update iptables to block the attacking IP. It can also send out emails to notify you (as you ask).
You can read more about setting it up from here: https://help.ubuntu.com/community/Fail2ban but there are lots of pages on the internet telling you how to do more with it. It's not a simple tool.
Other than that, for any service, if you move it off to an unpredictable port, people will be much less likely to just stumble upon it and be able to start brute forcing it. I run my all my SSH servers in the 40000-50000 port range. I have fail2ban installed too but I've never had anybody find the SSH server yet.
Of course this isn't useful for any service (http will always be expected on p80 for example) so if you're maintaining other users, you have to consider how much extra effort changing the port will cause them.
Oli
- 293,335
1
I answered a similar question about running a script on ssh login/logout. Of course that only works for SSH logins.
