It was bound to happen - suspected hack

[Jon Moss]

I will find chkrootkit and the other utilities you mentioned and check
them out.

I wondered about the lastlog error also.  I will research it as well.

I thought I could configure ssh to prevent root access (I never login root
remotely anyway).  I will also limit su to a single user.

Thanks again for the great information.

Jon

> Different distributions have different security measures enabled by
> default.  There are several other things you can do in addition to the
> hosts.allow/deny you've already setup.  You can configure sshd to not
> allow root login from ssh.  You can also setup your system to only
> allow a certain user (or users) to use su, which helps 'limit
> liability' if a users account is compromised.  And why is
> /var/log/lastlog missing on your system? does wtmp still exist?  I'd
> be sure to run the most recent version of chkrootkit on your system,
> and the small myriad of other rootkit checkers that are out there (to
> lazy to google it myself at the moment ;-) )
>
> On Thu, 21 Oct 2004 08:14:06 -0400 (EDT), Jon Moss
> <jon.moss at cnonline.net> wrote:
>> My secure log (below) seems to indicate that someone is trying to hack
>> into one of my Linux servers.
>>
>> I only have my Linux workstation's SSH port forwarded through my
>> hardware
>> firewall router.  The other server (the church one) does not have
>> anything
>> except the HTTP port (and a non-standard one at that) forwarded.
>>
>> I will probably change my root password.  I only have five user accounts
>> on the Linux workstation (non of which are root equivalents).
>>
>> What else should I do?  Can I change the configuration of SSH to prevent
>> repeated attempts from the same IP address?
>>
>
>
>
> __________________________________________________________
> This message was scanned by GatewayDefender
> 11:48:19 AM ET - 10/21/2004
>


-- 
Thanks very much,

Jon Moss
jon.moss at cnonline.net