It was bound to happen - suspected hack
crash 3m
crash3m at gmail.com
Thu Oct 21 10:48:19 CDT 2004
Different distributions have different security measures enabled by
default. There are several other things you can do in addition to the
hosts.allow/deny you've already setup. You can configure sshd to not
allow root login from ssh. You can also setup your system to only
allow a certain user (or users) to use su, which helps 'limit
liability' if a users account is compromised. And why is
/var/log/lastlog missing on your system? does wtmp still exist? I'd
be sure to run the most recent version of chkrootkit on your system,
and the small myriad of other rootkit checkers that are out there (to
lazy to google it myself at the moment ;-) )
On Thu, 21 Oct 2004 08:14:06 -0400 (EDT), Jon Moss
<jon.moss at cnonline.net> wrote:
> My secure log (below) seems to indicate that someone is trying to hack
> into one of my Linux servers.
>
> I only have my Linux workstation's SSH port forwarded through my hardware
> firewall router. The other server (the church one) does not have anything
> except the HTTP port (and a non-standard one at that) forwarded.
>
> I will probably change my root password. I only have five user accounts
> on the Linux workstation (non of which are root equivalents).
>
> What else should I do? Can I change the configuration of SSH to prevent
> repeated attempts from the same IP address?
>
More information about the Kclug
mailing list