SSH Server Connection Question
Hi there --
We have an SSH server that is periodically used for remote connections to our network. The following incident occurred earlier today, and I wanted to get feedback. A visiting scholar is on-site and has a connection to the server. A routine check of the server indicated the user account had connected to the server from a remote location. I am concerned this could be a case of either a compromised or shared user account and password. Am I being overly paranoid about this? What steps should I take to get to the bottom of the mystery? Thanks. |
There are various options depending on the specifics:
No, you're not being overly paranoid about this. Take shell access to your servers very seriously. |
there is a '.bash_history' file in every users home directory. If they didn't know to delete it's contents, you can see the commands that they have been running. I hope you catch them RED HANDED, lol
|
You're not overly paranoid.
Take some steps to verify the source of the "external" connection, though. It's possible the visitor logged in from "outside" by using a VPN to get back to their "home" network (thus all their traffic was showing up as coming from wherever they usually reside, even if they were connected to your network), or by using a mobile wireless card (the kind that use cellular networks). |
Quote:
|
Hi there --
Thanks for the replies from everyone. Going by the following suggestion: Quote:
|
Code:
$ dig -x <ip address connection came from> Code:
$ traceroute <ip address connection came from> Have you tried the simple step of just asking the visitor how/when they accessed the system in question, and if they may have given their login information to anyone else? |
Hi there --
Going on somewhat of a tangent here: Is there software that would bring up a world map that could be used in conjunction with dig and traceroute? Thanks. |
You could try http://whatismyipaddress.com/staticp...ual-traceroute
|
Perhaps the easiest thing to do would be to ask your user if they have given their logon info to anyone else; if not, explain that the account info may have been "stolen." Explain vaguely that their account had logged on remotely. Explain your policy. Change the password. If it happens again disable the account.
|
All times are GMT -5. The time now is 08:04 PM. |