Hacked - FreeBSD 7.1-Release
Chris H
chris# at 1command.com
Fri Dec 25 02:40:21 UTC 2009
On Tue, December 22, 2009 8:35 am, Andresen, Jason R. wrote:
> Squirrel wrote:
>
>> most likely could be some kind of remote code execution or SQLi executed in
>> the context of some php scripts, you should audit php code of your web
>> interface and of the websites you host. also consider the strenght of your
>> passwords, lots of login attempts to ssh/ftp may mean a he has tried a
>> bruteforce (or a dictionary attack maybe). you should also check webmin logs,
>> there are a few bruteforcer for webmin out there, (*hint*) consider the lenght
>> of your average password if it's more than 7-8 characters aplhanumeric with
>> simbols most likely this isn't the case.
>
> While it's true that it's a good idea to check your password strength, pretty
> much any host connected to the internet is going to be hit daily by bots
> looking for weak passwords. It's one area where you logs don't help much
> because there is too much noise.
That's why there's GREP(1), AWK(1), FIND(1), TAIL(1), and CAT(1)
Consider the following...
adding the following to your /etc/rc.conf:
# SECURITY RELATED
####################################
syslogd_flags="-ss"
log_in_vain="YES"
tcp_keepalive="YES"
now your log file will /really/ sing (log_in_vain="YES").
Of course, unless you have a great deal of time on your hands, visually parsing
that "noisy" log will be quite tedious, and time consuming. So you have a few
options...
If your running X11, simply run tail in a root window - there are quite a few
utilities in ports for doing just this - some that'll only write messages you
want to see.
You could also create a script out of cron that will only produce messages you
are interested in, for example:
~# cat /var/log/messages | ssh
will emit any attempt to ssh into your box
you can also redirect the messages to a file:
~# cat /var/log/messages | ssh >>~/EVIL_DOERS
You could also add en entry to PERIODIC(8) that will
provide a daily report on any attempts you are interested in.
HTH
--Chris H
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
More information about the freebsd-stable
mailing list