Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have never seen the sshd: unknown [priv] syntax before. Not even when regularly logging in as any user. It scared the crap out of me I shut down ssh right away. The w command shows that only I am logged into the machine. And the weird thing is its talking about root and root shouldn't even be logged in!
Is this something completely normal? What does it mean? I tried to google it but the results that seemed relevant didn't turn out to be so. Is there a reason why it would show this now and not before?
Your insight is appreciated, thank you.
-Chi
Added:
I also just downloaded/ran rootkithunter (the one mentioned in this forum) and it didnt detect anything wrong and w wasn't tempered with or anything. So I feel alot better about this now because I've been compromised on another machine before and it wasnt pretty :P
One of the current Linux magazines has an article on securing SSH. Unfortunately, I left it at work and can't tell you which one it is. It dealt with not allowing logins by system users, changing the default port and only allowing certain IP addresses. Changing the default port isn't a lot of protection, but it does eliminate the lions share of attacks from script kiddies who start out scanning different ip addresses for port 22.
From the sshd_config manpage:
Quote:
DenyGroups
This keyword can be followed by a list of group name patterns,
separated by spaces. Login is disallowed for users whose primary
group or supplementary group list matches one of the patterns.
‘*’ and ‘?’ can be used as wildcards in the patterns. Only group
names are valid; a numerical group ID is not recognized. By
default, login is allowed for all groups.
DenyUsers
This keyword can be followed by a list of user name patterns,
separated by spaces. Login is disallowed for user names that
match one of the patterns. ‘*’ and ‘?’ can be used as wildcards
in the patterns. Only user names are valid; a numerical user ID
is not recognized. By default, login is allowed for all users.
If the pattern takes the form USER@HOST then USER and HOST are
separately checked, restricting logins to particular users from
particular hosts.
What would [net] signify?
It's set in sshd.c: "setproctitle("%s", "[net]");". Sshd sets up an unprivileged child process to deal with network data as part of the pre-auth stage, AFAIK.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.