Lately I have a lot of attacks on my server. Most of them are based in asia, e.g. China or Korea, but also some from servers in Europe like Ukraine or Sweden.
The attacks are done by brute forcing my ssh login, which is quite safe to be honest, but this is not stopping people from trying.
Firstly I have configured fail2ban to mail me in case of attacks.
The attacking IP is blocked for a year.
There was some doubt though, so I put a line in my root bash script which is mailing me any login as root, with a whois query as well:
echo "ALERT - Shell Access on:' `date` '\n\n' `who` '\n\n' `whois $(who | cut -d'(' -f2 | cut -d')' -f1)`" | mail -s "Alert: Root Access from `who | cut -d'(' -f2 | cut -d')' -f1`" root@localhost
Dont forget to edit you /etc/aliases and run newaliases or put another mail address in the command.
The attacks are done by brute forcing my ssh login, which is quite safe to be honest, but this is not stopping people from trying.
Firstly I have configured fail2ban to mail me in case of attacks.
The attacking IP is blocked for a year.
There was some doubt though, so I put a line in my root bash script which is mailing me any login as root, with a whois query as well:
echo "ALERT - Shell Access on:' `date` '\n\n' `who` '\n\n' `whois $(who | cut -d'(' -f2 | cut -d')' -f1)`" | mail -s "Alert: Root Access from `who | cut -d'(' -f2 | cut -d')' -f1`" root@localhost
Dont forget to edit you /etc/aliases and run newaliases or put another mail address in the command.
Kommentare
Kommentar veröffentlichen