Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
 |
GNU/Linux Basic Guide
This 255-page guide will provide you with the keys to understand the philosophy of free software, teach you how to use and handle it, and give you the tools required to move easily in the world of GNU/Linux. Many users and administrators will be taking their first steps with this GNU/Linux Basic guide and it will show you how to approach and solve the problems you encounter.
Click Here to receive this Complete Guide absolutely free. |
|
 |
10-22-2005, 12:36 PM
|
#1
|
|
Member
Registered: Mar 2005
Posts: 54
Rep: 
|
Possible Break In???
I have gotten some strange server log activity over the past couple of days. They say
Oct 22 11:54:04 PC sshd[5556]: reverse mapping checking getaddrinfo for 130.67-18-135.reverse.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT!
Oct 22 11:54:04 PC sshd[5558]: reverse mapping checking getaddrinfo for 130.67-18-135.reverse.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT!
Does this mean that I was actually broken into or that someone is trying? If so, what method are they using so that I can possibly stop it?
Any help at all will be greatly appreciated.
|
|
|
|
|
10-22-2005, 03:19 PM
|
#2
|
|
Senior Member
Registered: Nov 2002
Location: Edmonton AB, Canada
Distribution: Gentoo x86; Gentoo PPC; Gentoo Sparc64; FreeBSD; OS X; Solaris
Posts: 3,731
Rep:
|
This is most likely a break in attempt from some script kiddie. If the attacker managed to gain access, it would be in your logs, unless they scrubbed them, but then why leave these lines in there?
My instinct says you are probably fine, but please check your logs for unauthorized access, and even use a rootkit hunter to make sure...
As for method, usually it is just a brute force password attack. Do your logs also contain failed login attempts?
Solutions:
1. don't leave port 22 open to the internet if you don't need access from there
2. Disable password logins and use PubkeyAuthentication instead.
3. Do _not_ allow root logins
4. You can move sshd to a non-standard port. This will take care of a lot of automated script-kiddie attacks
good luck...
|
|
|
|
|
10-23-2005, 06:30 PM
|
#3
|
|
Member
Registered: Mar 2005
Posts: 54
Original Poster
Rep:
|
I have read about changing the SSH port to something else, but no one has mentioned how to do so. Can you please tell me how?
|
|
|
|
|
10-23-2005, 06:56 PM
|
#4
|
|
Guru
Registered: Jan 2003
Location: Seymour, Indiana
Distribution: Distribution: RHEL 5 with Pieces of this and that.
Kernel 2.6.23.1, KDE 3.5.8 and KDE 4.0 beta, Plu
Posts: 5,697
Rep:
|
Edit: file:///etc/ssh/sshd_config and change this:
# Port 22
to whatever
Port 2020
Restart sshd.
This will help some but the best defense is make use of public keys only. No passwords or root logins as mentioned in the above post.
Hope this helps
Brian1
|
|
|
|
|
10-23-2005, 07:36 PM
|
#5
|
|
Member
Registered: Mar 2005
Posts: 54
Original Poster
Rep:
|
Thanks Brian.
I have root logins turned off; its my first security defense. With that said, how do I use public keys only? I have never heard of doing so before. Can you please explain how that works?
|
|
|
|
|
10-23-2005, 08:19 PM
|
#6
|
|
Guru
Registered: Jan 2003
Location: Seymour, Indiana
Distribution: Distribution: RHEL 5 with Pieces of this and that.
Kernel 2.6.23.1, KDE 3.5.8 and KDE 4.0 beta, Plu
Posts: 5,697
Rep:
|
Here are a few quick links from http://www.google.com/linux on how to setup public keys. They can be a bit confusing but I don't have the time to really write a clearer use. The first uses rsa keys and the second uses dsa. dsa is a stronger the rsa from what I know. Both are quite alike and should get you going. If they work let me know. If I get some spare time I might write something up. I would say there are many post on the subject here. Use the search feature for setting up ssh with keys.
http://sial.org/howto/openssh/publickey-auth/
http://www.ubuntuforums.org/archive/...p/t-30709.html
Hope this helps.
Brian1 |
|
|
|
|
10-25-2005, 08:40 PM
|
#7
|
|
Member
Registered: Aug 2003
Posts: 818
Rep:
|
If root logins are not turned on how do you login to do things as root?
|
|
|
|
|
10-25-2005, 11:10 PM
|
#8
|
|
Member
Registered: May 2004
Location: Aust.
Distribution: Debian
Posts: 424
Rep:
|
you log in as a user and then su..
|
|
|
|
|
10-25-2005, 11:34 PM
|
#9
|
|
Member
Registered: Aug 2003
Posts: 818
Rep:
|
Yea, I thought they meant stopping all root logins. How do you stop other kinds of root logins?
Last edited by unSpawn; 10-26-2005 at 01:16 PM.
|
|
|
|
|
10-26-2005, 02:43 PM
|
#10
|
|
Senior Member
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 4,579
|
Quote:
Originally posted by Brian1
Here are a few quick links from http://www.google.com/linux on how to setup public keys. They can be a bit confusing but I don't have the time to really write a clearer use. The first uses rsa keys and the second uses dsa. dsa is a stronger the rsa from what I know. Both are quite alike and should get you going. If they work let me know. If I get some spare time I might write something up. I would say there are many post on the subject here. Use the search feature for setting up ssh with keys.
http://sial.org/howto/openssh/publickey-auth/
http://www.ubuntuforums.org/archive/...p/t-30709.html
Hope this helps.
Brian1
|
Honestly, I don't think it matters so much which kind of certificates you use, but simply that you do use certificates.
Think of a certificate as a basically-unforgeable identification-badge. Only users who can present a valid credential should be given the slightest bit of attention. They don't get the chance to utter, and thus to brute-force, a password if they cannot get that far.
Note that it doesn't cost any money to set up and use certificates in this way... |
|
|
|
| Thread Tools |
Search this Thread |
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -5. The time now is 08:07 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
