increasing failed sshd logins/clearing breadcrumb trails
tim at spyderweb.com.au
Tue Sep 14 19:50:57 PDT 2004
In the immortal words of Glenn Sieb <ges+lists at wingfoot.org>...
> I've been getting this for weeks. They're all under APNIC, and emails
> to abuse at the involved networks has gone unanswered.
I've been getting these as well, but from a multitude of address spaces.
Not just APNIC.
> The easiest way to protect this is to check your sshd_config and set:
> PermitRootLogin no
Agreed. However if you 'Absolutely' require something to be done
remotely as root, make it a pub/priv key sequence and limit the command
using the keys. ie:
change sshd_config to PermitRootLogin without-password
and set up
command="/usr/local/bin/rsync --server --daemon ." ssh-dss <snip actual
in the authorized_keys file. This limits the abilities of the remoe
login to just running the rsync command with the specified switches.
Anything else just doesn't work.
> Which, if you're exposed to the 'Net would be a sane practice--force
> people to log in as themselves and su (or sudo or sudoscript) to root.
Very sane practice
> Admittedly, I am not sure about the rest of your posting. When I run
> last, (on 4.10-STABLE) it shows logins back to the 1st of September.
It is possible that the box was compromised and the utmp/wtmp log
removed/edited/etc, and I would start looking immediately for other
traces of a possible intrusion.
Cheers & good luck
Tim Aslat <tim at spyderweb.com.au>
Phone: +61 0401088479
More information about the freebsd-questions