Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I have gotten some strange server log activity over the past couple of days. They say
Oct 22 11:54:04 PC sshd[5556]: reverse mapping checking getaddrinfo for 130.67-18-135.reverse.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT!
Oct 22 11:54:04 PC sshd[5558]: reverse mapping checking getaddrinfo for 130.67-18-135.reverse.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT!
Does this mean that I was actually broken into or that someone is trying? If so, what method are they using so that I can possibly stop it?
This is most likely a break in attempt from some script kiddie. If the attacker managed to gain access, it would be in your logs, unless they scrubbed them, but then why leave these lines in there?
My instinct says you are probably fine, but please check your logs for unauthorized access, and even use a rootkit hunter to make sure...
As for method, usually it is just a brute force password attack. Do your logs also contain failed login attempts?
Solutions:
1. don't leave port 22 open to the internet if you don't need access from there
2. Disable password logins and use PubkeyAuthentication instead.
3. Do _not_ allow root logins
4. You can move sshd to a non-standard port. This will take care of a lot of automated script-kiddie attacks
I have root logins turned off; its my first security defense. With that said, how do I use public keys only? I have never heard of doing so before. Can you please explain how that works?
Distribution: Distribution: RHEL 5 with Pieces of this and that.
Kernel 2.6.23.1, KDE 3.5.8 and KDE 4.0 beta, Plu
Posts: 5,697
Rep:
Here are a few quick links from http://www.google.com/linux on how to setup public keys. They can be a bit confusing but I don't have the time to really write a clearer use. The first uses rsa keys and the second uses dsa. dsa is a stronger the rsa from what I know. Both are quite alike and should get you going. If they work let me know. If I get some spare time I might write something up. I would say there are many post on the subject here. Use the search feature for setting up ssh with keys.
Originally posted by Brian1 Here are a few quick links from http://www.google.com/linux on how to setup public keys. They can be a bit confusing but I don't have the time to really write a clearer use. The first uses rsa keys and the second uses dsa. dsa is a stronger the rsa from what I know. Both are quite alike and should get you going. If they work let me know. If I get some spare time I might write something up. I would say there are many post on the subject here. Use the search feature for setting up ssh with keys. http://sial.org/howto/openssh/publickey-auth/ http://www.ubuntuforums.org/archive/...p/t-30709.html
Hope this helps.
Brian1
Honestly, I don't think it matters so much which kind of certificates you use, but simply that you do use certificates.
Think of a certificate as a basically-unforgeable identification-badge. Only users who can present a valid credential should be given the slightest bit of attention. They don't get the chance to utter, and thus to brute-force, a password if they cannot get that far.
Note that it doesn't cost any money to set up and use certificates in this way...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
