Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Please do provide the distro and version that you are using when asking a question like this. That being said...
How to turn off a daemon service (which ssh is) depends greatly on the version of Linux you are running. In Gentoo, it would be "rc-update del sshd default". In CentOS, go to /etc/rc.d/rc*.d and rename each startup script (S**sshd to s**sshd). Or, you could go to (in gnome) System -> Administration -> Server Settings -> Services and deselect sshd. Other OS's, I don't know how it would work.
Another way would be to block sshd in your firewall settings (likely IPTables). If this is an external person logging in, you can block ssh from outside traffic and still allow yourself to use it.
As for getting the IP address, you could check the system logs in /var/log. On my machine, I would specifically check "messages" and "secure", to start with. If they are coming through sshd, I think it would log there.
You can disable ssh or telnet access to your server through firewall.
you can also stop those services if they are not really necessary. It is recommended to stop telnet service unless necessary.
Before you start thinking you've been cracked, check if those files can't be overwritten by some script/daemon you run in crontab/etc. But cleared wtmp and logs point to guess you're really been cracked. If they're maliciously modified then...
First things first: make backups, change passwords, check your ~/.ssh (and /root/.ssh) directory for authorized_keys* files, and if you use key-based auth, check them for having other keys. What services do you run? How do you think a cracker entered your system? Do you have web server with PHP/etc? What is your kernel version(uname -a shows it)? An attacker can exploit your kernel and gain root if he has other entry poing allowing him to access the shell or execute binary code. Your first step can be running these three useful commands:
and checking your system for rootkits, say, with rkhunter.
If you're really going to trace crackers, you might not want to change anything, so make them think you didn't find out they're in. But you surely need to run those checks with rkhunter or other tools, in order to monitor the situation. It's just your choice, if the server has valuable data, the better way will be just disconnect it from internet and start wiping out malware. That's what I suggest really, you never know. Say, if cracker is in bad mood and he felt he's spotted, he may simply "rm-rf" over your serv. Typical skiddie way of solving problems.
Tracing crackers on working server with valuable data is really risky way and it requires some knowledge or someone experienced around, so you can always ask. LQ forum is probably not a "live" support