Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
as I stated previously, changing the port is NOT the only thing one should do.
Yes, and it would have been so much better if you could have been as verbose the first time you posted, instead of making it sound like the port change would magically make the box more secure. Yes, his logs will be clean now (expression borrowed from unixfool), but he is still just as vulnerable as he was before. Hopefully he'll implement some of you guys' other suggestions in the near future. It would IMHO be a huge waste if someone with security concerns ends-up only taking measures which essentially add up to nothing more than a cosmetic improvement.
I think people who advocate changing the port are focusing on the threat (worms, botnets, and attackers doing port sweeps). The people who say that isn't effective and you're still just as vulnerable are focusing on the vulnerability part of the equation. Whether you focus on the threat or vulnerability, you're reducing risk which is a good thing.
I think people who advocate changing the port are focusing on the threat (worms, botnets, and attackers doing port sweeps). The people who say that isn't effective and you're still just as vulnerable are focusing on the vulnerability part of the equation.
FWIW, I agree with you on this. Math rules!
EDIT: I would just add that even though the threat might be reduced a little with regards to automated attacks, it isn't reduced regarding determined attackers. That is a key point, and has a great effect on the equation IMHO. By focusing on the underlying vulnerabilities, risk is reduced way more - which brings us back to the "it's not the only thing you should do" thing, yada yada.
* Changed the port
* I've lowered the LoginGraceTime to 30 seconds
* I've made the MaxAuthTries 2
* I've changed MaxStartups to 3:50:10
* I've disabled root login onto the box,although i need it for some backups,so i did the following
PermitRootLogin forced-commands-only
PermitRootLogin yes
* I only enabled ssh for one user,and i made the username and password solid.
I'd like to enable just ssh-keys authenitication,and play around with hosts.deny,and so on,but currently my logs seems much better,so i'll monitor this before i start playing with that.
Also,how can i check,if someone got in,for possible backdoors on my system.What tools can i use?I'm busy going through all my servers logs now,I've noticed the following on one of them..
Code:
reverse mapping checking getaddrinfo for debian.licanet.cz failed - POSSIBLE BREAKIN ATTEMPT!
I've disabled root login onto the box,although i need it for some backups,so i did the following
PermitRootLogin forced-commands-only
PermitRootLogin yes
You are MUCH better off disallowing root login and using either su or sudo to do root work over an SSH connection.
Quote:
but currently my logs seems much better,so i'll monitor this before i start playing with that.
This is the root cause of why I complain about moving ports in the first place. Absent any other changes, this is a false sense of security. Just because you're not getting pounded doesn't mean that the next try won't succeed.
Quote:
reverse mapping checking getaddrinfo for debian.licanet.cz failed - POSSIBLE BREAKIN ATTEMPT!
What it means is that the SSH server wasn't able to verify that the address being used is legit. In other words, someone is spoofing IP addresses or domains. If this occurred on your new SSH port, then they've found you again.
Quote:
Also,how can i check,if someone got in,for possible backdoors on my system.
You could use chkrootkit and rkhunter to look for things. You should also look through your logs and see if anyone actually managed to log into SSH that you don't recognize. Also look through the output of lsof -i and see if there are any services listening that you don't recognize. Looking at root's .bash_history couldn't hurt either. You also might want to install Aide, Samhain or Tripwire to monitor the status of the files on your computer. These won't stop a break in but they can tell you what was done.
Of course none of this makes any difference if you actually were compromised as the skilled crackers will take steps to hide their steps from the normal sorts of approaches and checkers like Aide won't detect a break in if they are installed after it occurred.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.