increasing failed sshd logins/clearing breadcrumb trails
ges+lists at wingfoot.org
Tue Sep 14 21:21:25 PDT 2004
Tim Aslat said the following on 9/14/2004 10:51 PM:
>In the immortal words of Glenn Sieb <ges+lists at wingfoot.org>...
>>I've been getting this for weeks. They're all under APNIC, and emails
>>to abuse at the involved networks has gone unanswered.
>I've been getting these as well, but from a multitude of address spaces.
> Not just APNIC.
I should have been clearer--the ones coming in on *my* server have all
been from APNIC :-/
>Agreed. However if you 'Absolutely' require something to be done
>remotely as root, make it a pub/priv key sequence and limit the command
>using the keys.
*nod* But I really can't think of any reason to have an exposed machine
allow a direct-root login... Probably I just haven't had that particular
need or experience yet...
But with protected machines? Sure--at my old job (at Lumeta) we had our
"one trusted" machine which was allowed to ssh as root (using keys only)
to our internal machines. For purposes of pushes/pulls/upgrades/stuff
along those lines.
>Very sane practice
*nod* I'd like to think Tal rubbed off on me a bit :)
>It is possible that the box was compromised and the utmp/wtmp log
>removed/edited/etc, and I would start looking immediately for other
>traces of a possible intrusion.
*nod* Hopefully he wasn't hacked--that would be major suckage :-/
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety.
~Benjamin Franklin, Historical Review of Pennsylvania, 1759
More information about the freebsd-questions