LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-04-2010, 07:09 AM   #1
planetmars
LQ Newbie
 
Registered: Nov 2008
Posts: 22

Rep: Reputation: 15
how to trace a telnet or SSH user ?


someone is logging to our server. I turned off telnet service. how to disable SSH ? are there any other ways to SSH ?

How to get the IP Address of the person who is logging in ? I checked lastlog, wtmp and last commands, but could not find any suspicious entries
 
Old 03-04-2010, 07:36 AM   #2
smoker
Senior Member
 
Registered: Oct 2004
Distribution: Fedora Core 4, 12, 13, 14, 15, 17
Posts: 2,279

Rep: Reputation: 248Reputation: 248Reputation: 248
How do you know someone is logging in to your server ?
 
Old 03-04-2010, 07:46 AM   #3
nuwen52
Member
 
Registered: Feb 2009
Distribution: CentOS 5, Gentoo, FreeBSD, Fedora, Mint, Slackware64
Posts: 205

Rep: Reputation: 46
Please do provide the distro and version that you are using when asking a question like this. That being said...

How to turn off a daemon service (which ssh is) depends greatly on the version of Linux you are running. In Gentoo, it would be "rc-update del sshd default". In CentOS, go to /etc/rc.d/rc*.d and rename each startup script (S**sshd to s**sshd). Or, you could go to (in gnome) System -> Administration -> Server Settings -> Services and deselect sshd. Other OS's, I don't know how it would work.

Another way would be to block sshd in your firewall settings (likely IPTables). If this is an external person logging in, you can block ssh from outside traffic and still allow yourself to use it.

As for getting the IP address, you could check the system logs in /var/log. On my machine, I would specifically check "messages" and "secure", to start with. If they are coming through sshd, I think it would log there.

Last edited by nuwen52; 03-04-2010 at 09:11 AM.
 
Old 03-04-2010, 10:45 AM   #4
schneidz
Senior Member
 
Registered: May 2005
Location: boston, usa
Distribution: fc-15/ fc-19-live-usb/ aix
Posts: 3,820

Rep: Reputation: 586Reputation: 586Reputation: 586Reputation: 586Reputation: 586Reputation: 586
assuming fedora
Code:
sudo /sbin/service sshd stop
have you looked in tail -f /var/log/messages for ssh connection logs ?

if you shut off the ssh server then you wont be able to ssh in ?
you can try changing the default port (22) to another arbitrary one.
 
Old 03-04-2010, 07:28 PM   #5
planetmars
LQ Newbie
 
Registered: Nov 2008
Posts: 22

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by schneidz View Post
assuming fedora
Code:
sudo /sbin/service sshd stop
have you looked in tail -f /var/log/messages for ssh connection logs ?
I will check this
 
Old 03-05-2010, 12:12 AM   #6
pix9
Member
 
Registered: Jan 2010
Location: Kalyan, Mumbai, Maharashtra, India
Distribution: Red Hat (RHEL 6.0)
Posts: 128

Rep: Reputation: 19
You can disable ssh or telnet access to your server through firewall.
you can also stop those services if they are not really necessary. It is recommended to stop telnet service unless necessary.
thank you

Last edited by pix9; 03-05-2010 at 12:25 AM.
 
Old 03-05-2010, 02:10 AM   #7
mattseanbachman
Member
 
Registered: Feb 2010
Posts: 40

Rep: Reputation: 15
Quote:
Originally Posted by planetmars View Post
I will check this
First, what Linux distribution are you running?

Have you tried the command last? as in

Code:
toor@toor-desktop $ last
That seems to put out IP addresses of past connections, even dates it. And as was asked before by another person, how do you know that they're even logging in?
 
Old 03-05-2010, 02:42 AM   #8
Web31337
Member
 
Registered: Sep 2009
Location: Russia
Distribution: Gentoo, LFS
Posts: 399
Blog Entries: 71

Rep: Reputation: 65
Quote:
Originally Posted by planetmars
someone is logging to our server ... I checked lastlog, wtmp and last commands, but could not find any suspicious entries
You didn't answer smoker's question. I ask the same thing.
 
Old 03-05-2010, 03:24 PM   #9
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 22,962
Blog Entries: 11

Rep: Reputation: 865Reputation: 865Reputation: 865Reputation: 865Reputation: 865Reputation: 865Reputation: 865
Moved: This thread is more suitable in <Linux-Security> and has been moved accordingly to help your thread/question get the exposure it deserves.
 
Old 03-05-2010, 08:26 PM   #10
planetmars
LQ Newbie
 
Registered: Nov 2008
Posts: 22

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by smoker View Post
How do you know someone is logging in to your server ?
files that are not supposed to alter are being modified. I checked this from the files's modification dates and their content. I am the only person that is supposed to change those files.
 
Old 03-05-2010, 08:36 PM   #11
planetmars
LQ Newbie
 
Registered: Nov 2008
Posts: 22

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by mattseanbachman View Post
First, what Linux distribution are you running?

Have you tried the command last? as in

Code:
toor@toor-desktop $ last
Yes, I tried this last command. It did not return any IP addresses. It showed a message :
wtmp started at ......

Probably they might be clearing this
 
Old 03-06-2010, 12:09 AM   #12
Web31337
Member
 
Registered: Sep 2009
Location: Russia
Distribution: Gentoo, LFS
Posts: 399
Blog Entries: 71

Rep: Reputation: 65
Before you start thinking you've been cracked, check if those files can't be overwritten by some script/daemon you run in crontab/etc. But cleared wtmp and logs point to guess you're really been cracked. If they're maliciously modified then...
First things first: make backups, change passwords, check your ~/.ssh (and /root/.ssh) directory for authorized_keys* files, and if you use key-based auth, check them for having other keys. What services do you run? How do you think a cracker entered your system? Do you have web server with PHP/etc? What is your kernel version(uname -a shows it)? An attacker can exploit your kernel and gain root if he has other entry poing allowing him to access the shell or execute binary code. Your first step can be running these three useful commands:
Code:
lsof -Pwn
netstat -anpe
ps -axfwwwe
and checking your system for rootkits, say, with rkhunter.

If you're really going to trace crackers, you might not want to change anything, so make them think you didn't find out they're in. But you surely need to run those checks with rkhunter or other tools, in order to monitor the situation. It's just your choice, if the server has valuable data, the better way will be just disconnect it from internet and start wiping out malware. That's what I suggest really, you never know. Say, if cracker is in bad mood and he felt he's spotted, he may simply "rm-rf" over your serv. Typical skiddie way of solving problems.
Tracing crackers on working server with valuable data is really risky way and it requires some knowledge or someone experienced around, so you can always ask. LQ forum is probably not a "live" support
 
1 members found this post helpful.
Old 03-09-2010, 01:52 AM   #13
tajamari
Member
 
Registered: Jul 2007
Distribution: Red Hat CentOS Ubuntu FreeBSD OpenSuSe
Posts: 252

Rep: Reputation: 30
You may want to log all traffics going to ports 22 and 23 from anywhere via your firewall, and from there you can check which is which will be allowed and rejected.
 
Old 03-09-2010, 07:35 PM   #14
planetmars
LQ Newbie
 
Registered: Nov 2008
Posts: 22

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by tajamari View Post
You may want to log all traffics going to ports 22 and 23 from anywhere via your firewall, and from there you can check which is which will be allowed and rejected.
how to see the traffic via the firewall on this RHEL 4 server ?
 
Old 03-09-2010, 07:56 PM   #15
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,225

Rep: Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021
See the LOG option in iptables
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
trace user activities nagavinodh Linux - Newbie 1 09-07-2009 08:18 AM
Create user to access server with telnet but not with ssh. ytd Linux - General 2 08-14-2009 08:02 AM
only FTP access to user not ssh or telnet farhank Linux - Security 3 10-27-2005 09:30 AM
Trace User in Squid razan Linux - Security 4 04-15-2005 11:08 AM
Basic Linux Networking and setting up ssh/telnet/ftp user accounts... timmy_laf Linux - Newbie 2 01-05-2004 02:07 AM


All times are GMT -5. The time now is 10:28 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration