Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I had just got Arch up and running a couple weeks back, and I was following a random user's guide (previous Ubuntu user and newb to Linux in general)-- I think it may have been a mistake.
When I was configuring my iptables/ufw, I'd added a rule to iptables allowing ssh to be used from anywhere (I think so anyhow); it came up as something along the lines of 'ALLOW: IN : ANYWHERE: ssh 22' in red font on gufw. This had been open for about a few days, and I didn't realize the security risk until I learned what ssh is.
So is it likely that my system is compromised and needs a full hard drive wipe? hosts.deny remained in its default state, so wouldn't that override the iptables configuration or no? Could my router have kept any potential threats out like it has before despite the rule?
Could my router have kept any potential threats out like it has before despite the rule?
Sure. I mean, you're saying this box was behind a NAT router that was not configured to forward traffic to TCP port 22, right? If so, then your SSH daemon was never exposed to the Internet. That said, you can check /var/log/auth.log for evidence of remote login activity.
Yes, I'm behind an NAT router and the router wasn't configured to allow access to port 22. I'd checked that before and didn't see anything unusual, but just to make sure I'll look over it once more. Thanks for the help.
Yes, I'm behind an NAT router and the router wasn't configured to allow access to port 22. I'd checked that before and didn't see anything unusual, but just to make sure I'll look over it once more. Thanks for the help.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.