From: Chris Vine on
On Fri, 04 Jun 2010 15:32:10 -0500
"John F. Morse" <john(a)example.invalid> wrote:
[snip]
> Why does your log show sshd running on so many "unassigned" ports?

That's how ssh works. If moves off port 22 once authenticated.

Chris

From: Mikhail Zotov on
On Sat, 5 Jun 2010 01:34:14 +0100
Chris Vine <chris(a)cvine--nospam--.freeserve.co.uk> wrote:
....
> You may not be entirely or even mainly to blame. I noticed when
> installing Slackware 13.1 that by default it started ssh on boot up in
> rc.sshd without a firewall, and the default sshd_config file allows
> password authentication by default.

At one of the final steps of installation, one has an opportunity
to choose services that will be started on boot up. Just don't
check ssh if you don't need it. It can be enabled anytime later
by just making /etc/rc.d/rc.sshd executable.

--
Mikhail

From: LostInTheLoop on
steve, on 06/04/2010 08:25 PM, wrote:

> 3) And of course, how do I prevent this from happening in the
> future?

I'm happy with fail2ban. It creates an iptables rule after x
attempts with wrong user/pass, and removes it from y minutes, x and
y of your choice.


From: Douglas Mayne on
On Sat, 05 Jun 2010 01:34:14 +0100, Chris Vine wrote:

> On Fri, 4 Jun 2010 11:25:03 -0700 (PDT) steve <shmartonak(a)ticnet.com>
> wrote:
>> Well it happened again, but this time I was a little better prepared.
>> It seems that my /etc/shadow file got modified somehow. Knowing the
>
<snip>
>
> I get loads of these. If you have users on your system with weak
> passwords then it is quite possible that you have been hacked. Worse
> even if root has a weak password. The system log should tell you if a
> user has managed to log in, but of course if they have achieved root
> access then your log can't be trusted.
>
> A few obvious points:
>
> Why are you running servers on your system open to the internet when it
> doesn't look as if you need them?
>
> Why haven't you set up a firewall, especially if you are not using a
> NATing router?
>
> If you do need ssh open to the internet (and some do, including me), why
> have you allowed password authentication on ssh? Use private/public key
> authentication and disallow password authentication.
>
> I use private/public key encryption with a pass phrase on the key, and
> disallow all other forms of ssh authentication, and that makes my system
> pretty well impregnable. In addition, to cut down the noise in my
> system log, I have a "three strikes and you are out rule" on my
> firewall. If a connection has not been established after three tries in
> one minute, the person accessing the server is kicked off for 5 minutes.
> That's enough to see them off.
>
<snip>
>
Ack! I agree with using certificate only authentication for ssh on
internet exposed hosts.

To the OP: There are quite a few tutorials for setting up ssh by
certificates on the web. Just be careful not to lock yourself out before
you have it setup correctly while you are learning how to do it.

I also have a rate limited firewall rule in place (setup with iptables).

Also, if you've been hacked (and it looks like you have, IMO), I would
have a hard time trusting that box again. It either needs verification of
every executable, or it needs a clean install. But it's your box...

--
Douglas Mayne
From: Mike Jones on
Responding to Mikhail Zotov:

[...]
>> Good point. If we want newbies and converts, a bunch of stuff that
>> needs ironing out isn't the best way to impress.
>
> Oops... I won't ask who wants to impress newbies and converts ;-)


All projects need a certain user-base to survive. Plus...

The world needs wiser surfers. Slackware is the right tool for the job.
Some newbies will be wobbly ex-Windows users. Even the smallest hiccup
can throw them. Solid sane defaults gives them a head start.

Lets be nice to them. They didn't chose where they started from.

--
*=( http://www.thedailymash.co.uk/
*=( For all your UK news needs.
First  |  Prev  |  Next  |  Last
Pages: 1 2 3 4
Prev: Returning printer problems on Slack 12
Next: Acer Nplify