From: Grant on
On Sat, 5 Jun 2010 23:08:51 +0000 (UTC), Mike Jones <luck(a)dasteem.invalid> wrote:

>Responding to Mikhail Zotov:
>
>[...]
>>> Good point. If we want newbies and converts, a bunch of stuff that
>>> needs ironing out isn't the best way to impress.
>>
>> Oops... I won't ask who wants to impress newbies and converts ;-)
>
>
>All projects need a certain user-base to survive. Plus...

Yes, slackware could do with a larger user base, but it's 'target market'
(dare I invite old trollers?) appears to be the thinking computer user --
not people looking for a free windows workalike replacement 'cos MSFT are
enforcing their EULA these days.
>
>The world needs wiser surfers. Slackware is the right tool for the job.
>Some newbies will be wobbly ex-Windows users. Even the smallest hiccup
>can throw them. Solid sane defaults gives them a head start.

Yes, there's some things can be better -- but they seem to be the fast
moving targets like wireless networking. Audio could be cleaner, and
certainly stopping xorg from defaulting to stupidly high resolutions on
CRT monitors would be good -- the lilo framebuffer does that, but how
well is the startx response?
>
>Lets be nice to them. They didn't chose where they started from.

I still run windows, but that's because it's so easy to stay in the
comfort zone for the desktop / localnet Linux mix I've been using for
over a dozen years :)

Besides, some tools are not available on Linux, like PIC chip software
development which I'm using, and I'm stuck on this 'doze newsreader
app I been using for a long time -- for both Usenet and high volume
email lists like lkml.

Grant.
--
http://bugs.id.au/
From: Mike Jones on
Responding to Grant:

> On Sat, 5 Jun 2010 23:08:51 +0000 (UTC), Mike Jones
> <luck(a)dasteem.invalid> wrote:
>
>>Responding to Mikhail Zotov:
>>
>>[...]
>>>> Good point. If we want newbies and converts, a bunch of stuff that
>>>> needs ironing out isn't the best way to impress.
>>>
>>> Oops... I won't ask who wants to impress newbies and converts ;-)
>>
>>
>>All projects need a certain user-base to survive. Plus...
>
> Yes, slackware could do with a larger user base, but it's 'target
> market' (dare I invite old trollers?) appears to be the thinking
> computer user -- not people looking for a free windows workalike
> replacement 'cos MSFT are enforcing their EULA these days.


If this is what it takes to get folks to start thinking for themselves
and learning to take charge of their own hardware...?

Mind you, Ubuntu seems to be /the/ choice in that case. :(


>>
>>The world needs wiser surfers. Slackware is the right tool for the job.
>>Some newbies will be wobbly ex-Windows users. Even the smallest hiccup
>>can throw them. Solid sane defaults gives them a head start.
>
> Yes, there's some things can be better -- but they seem to be the fast
> moving targets like wireless networking. Audio could be cleaner, and
> certainly stopping xorg from defaulting to stupidly high resolutions on
> CRT monitors would be good -- the lilo framebuffer does that, but how
> well is the startx response?


There are people still using CRTs? %|


>>
>>Lets be nice to them. They didn't chose where they started from.
>
> I still run windows, but that's because it's so easy to stay in the
> comfort zone for the desktop / localnet Linux mix I've been using for
> over a dozen years :)


I'm having trouble associating the word "Windows" with "comfort".


> Besides, some tools are not available on Linux, like PIC chip software
> development which I'm using, and I'm stuck on this 'doze newsreader app
> I been using for a long time -- for both Usenet and high volume email
> lists like lkml.


Sounds like somebody should be working on open source replacements?

--
*=( http://www.thedailymash.co.uk/
*=( For all your UK news needs.
From: Helmut Hullen on
Hallo, steve,

Du meintest am 04.06.10:


> Jun 4 03:33:27 myacer sshd[26933]: Invalid user emma from
> 219.233.229.77
> Jun 4 03:33:27 myacer sshd[26933]: Failed password for invalid user
> emma from 219.233.229.77 port 39063 ssh2
> Jun 4 03:33:31 myacer sshd[26937]: Invalid user oracle from
> 219.233.229.77

etc.

I prefer a rule for "iptables":

WAN=ppp+ eth1
IPTABLES_BIN=/usr/sbin/iptables
# diese beiden Variablen sind anzupassen

for Interf in $WAN; do
$IPTABLES_BIN -A INPUT -i $Interf -p tcp --dport 22 -m state --state NEW \
-m recent --set --name SSH
$IPTABLES_BIN -A INPUT -i $Interf -p tcp --dport 22 -m state --state NEW \
-m recent --rcheck --seconds 60 --hitcount 4 --rttl --name SSH \
-j REJECT --reject-with tcp-reset
$IPTABLES_BIN -A INPUT -i $Interf -p tcp --dport 22 -m state --state NEW \
-j ACCEPT
done

# Florian Frank in der "linuxmuster"-Mailingliste, 17. Sept. 2005
# pro Absender-IP max. 3 Verbindungsanfragen pro Minute; blockt Skript-Kiddies
# "rcheck" statt "update": Sven Geggus, 22. Sept. 05,
# de.comp.os.unix.networking.misc
# siehe auch
# http://www.heise.de/security/SSH-vor-Brute-Force-Angriffen-schuetzen--/artikel/142155/3

Viele Gruesse
Helmut

"Ubuntu" - an African word, meaning "Slackware is too hard for me".

From: Grant on
On 06 Jun 2010 19:26:00 +0200, Helmut(a)Hullen.de (Helmut Hullen) wrote:

>Hallo, steve,
>
>Du meintest am 04.06.10:
>
>
>> Jun 4 03:33:27 myacer sshd[26933]: Invalid user emma from
>> 219.233.229.77
>> Jun 4 03:33:27 myacer sshd[26933]: Failed password for invalid user
>> emma from 219.233.229.77 port 39063 ssh2
>> Jun 4 03:33:31 myacer sshd[26937]: Invalid user oracle from
>> 219.233.229.77
>
>etc.
>
>I prefer a rule for "iptables":
>
>WAN=ppp+ eth1
>IPTABLES_BIN=/usr/sbin/iptables
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^--> script-kiddie marker ;)

Grant.
--
http://bugs.id.au/
From: Sylvain Robitaille on
steve wrote:

> If I'm interpreting this correctly, someone in China was trying to
> hack into my computer.

Someone was trying to *login* to your computer, from an IP address
registered in China, using account names that don't exist on your
computer.

Please note the distinctions I make, as I feel they're important to not
over-reacting, which often happens when someone sees unfamiliar logfile
entries:

- we don't know where the someone attempting to access your computer
physically was at the time. We only know they attempted to access
your computer from another one whose IP address is registered in
China.

- we don't have sufficient information to know whether these attempted
accesses were indicative of an attempted intrusion ("hack", as you
worded it). What we know is that they attempted to access three
non-existent accounts on your computer and failed. Chances are
you have access to more logs that might indicate further access
attempts, and more importantly, you are in a better position to
determine whether these are authorized or not.

> 1) am I understanding this correctly?

The log entries you provided show only failed attempts to login to your
computer. I generally advise that people should not worry about those.
Whatever was being tried, failed. Worry about the log lines that show
successful logins you didn't authorize or initiate. Depending on
whether or not such log lines exist(ed), and the privilege of the
associated account, those log lines might have been cleaned out before
you got to see them, but they're the ones you need to worry about, not
those that show failed login attempts.

> 2) does the fact that my /etc/shadow file got changed indicate that
> they were successful?

What changed in the /etc/shadow file? Knowing *that* will help you
determine the answer to your question.

> 3) And of course, how do I prevent this from happening in the future?

How do you prevent failed login attempts? You could have your computer
just permit any and all who try, with no password. (obviously not a
recommended configuration). My point here, again, is if all you're
seeing are failed attempts, there's no need to react or do anything.
The system is already keeping the would-be intruder out.

You need to *know* whether your system was compromised. My usual advice
to these sorts of questions, though, is if you need to ask, the answer
probably is "yes" ...

If it was, preventing future compromise will start with a proper
cleanup of the current compromise. There isn't much point in returning
the system only to its pre-compromised state, since the intrusion
vector will still exist.

If the system was not compromised, why would you want to prevent that
from happening in the future? That goes back to my comment above about
not worrying about log entries that show failed login attempts. Worry
about the ones that get in, not those that try and fail ...

The other posts that followed up to yours all provide valuable advice
for how you might want to react if your system has been compromised.
What I'm getting at is that what you've shown so far doesn't indicate
that it has. You can safely follow the advice given by others if it
makes you feel more comfortable knowing you'll have decreased the
possibility of compromise, but if it has already happened, you'll still
need to clean up, so you should make a point to know.

I hope I've helped ...

--
----------------------------------------------------------------------
Sylvain Robitaille syl(a)encs.concordia.ca

Systems analyst / AITS Concordia University
Faculty of Engineering and Computer Science Montreal, Quebec, Canada
----------------------------------------------------------------------
First  |  Prev  |  Next  |  Last
Pages: 1 2 3 4
Prev: Returning printer problems on Slack 12
Next: Acer Nplify