On 12/17/22 10:30 AM, David W. Hodgins wrote:
> On Sat, 17 Dec 2022 03:47:12 -0500, Andreas Kohlbach <
a...@spamfence.net>
> wrote:
>
>> On Sat, 17 Dec 2022 02:03:27 -0500, David W. Hodgins wrote:
>>>
>>> On Fri, 16 Dec 2022 21:24:46 -0500, Andreas Kohlbach
>>> <
a...@spamfence.net> wrote:
>>>
>>>> On Fri, 16 Dec 2022 10:30:17 +0100, Carlos E. R. wrote:
>>>>>
>>>> Nah, don't. Have them have their fun. They don't know root won't get in
>>>> and waste their own resources. Although today it won't matter
>>>> either. But
>>>> not letting them know they cannot login as root they keep trying
>>>> instead
>>>> of wandering off and try other servers where they might be successful.
>>>>
>>>>> That's something a human operator would do.
>>>>
>>>> I don't think so. Unless being DDoSed. But then you have to take a
>>>> completely different approach to mitigate the traffic.
>>>
>>> I don't block, but I use a non-standard port. Otherwise failed attempts
>>> can fill the filesystem where the logs are stored. I had that happen
>>> before
>>> I switched ports.
>>
>> There's logrotate to take care of logfile sizes.
>>
>> ~$ ls -lrt /var/log/auth*
>> -rw-r----- 1 root adm 78358 Nov 19 23:39 /var/log/auth.log.4.gz
>> -rw-r----- 1 root adm 83875 Nov 26 23:57 /var/log/auth.log.3.gz
>> -rw-r----- 1 root adm 44726 Dec 3 23:46 /var/log/auth.log.2.gz
>> -rw-r----- 1 root adm 449644 Dec 10 23:51 /var/log/auth.log.1
>> -rw-r----- 1 root adm 987377 Dec 17 03:45 /var/log/auth.log
>
> When you get a few dozen hits per minute, it doesn't take a week to use
> a lot
> of log space. Rotating more often will mean info will be removed sooner
> too.
>
> Granted, disk drive space has come down in price a lot since I ran into the
> issue and switched to using a custom port, but there are also new systems
> such as raspberry pi, that normally run from an sd card, which limits the
> drive size.
I've writ a number of special-purpose apps for PIs, but
yes, the space issue requires a lot of thought. You CAN
attach a USB SSD or even an efficient USB HD (have a 3tb
one attached to one Pi)
Another work around, if available, is to use an SMB share
on an NAS or something.
The sad thing about PI's isn't their capabilities, but
the POWER CONSUMPTION. That severely limits them for
"off grid" uses. Less impressive units like BeagleBone's
and esp Arduino's let you turn off basically every
peripherial until it's needed, and then cut it off again.
You can even tweak the CPU speed dynamically. You can
run an Ard off a mere 3-watt solar cell - though 5w is
safer - (use Seeed's LipoRider Pro to charge the battery !)
so long as you are taking samples at intervals (data-logger
type use).
Now as for SSH logs ... yea ... if possible NEVER expose
the standard port. I don't even use it on local networks.
The downside is that while the logs will tell you a lot
of things you have to FIGURE OUT what they're trying to
tell you. Various kinds of attacks (and simple faults)
don't always stand out very well.
Again another place where "AI"-style pattern detection
might be of use. Yer PC should *tell YOU* when there
might be a problem. If you routinely deal with a lot
of boxes, lots of net-connected boxes esp, you can
blow the entire day trying to dig though those logs
in search of a "something".