Re: sshd question

Pythoni wrote:
I am a newbie with Linux. A friend of mine setup a Linux box for me and
now I try to understand and learn about Linux.
Three days ago my Linux box stopped( dark screen, no response) and I
had to restart.
The server was possibly hacked.
How can I found out the way, the hacker used against my Linux box?

Not so easy. Compare the system with your backups, packages lists, whatever (be
sure, they are not affected by cracker too). There may be rootkit screwed in,
which may be hard to find. Try rootkit finder or something to detect such piece
of ...

Today I saw( in log) again

Nov 4 07:21:45 myhope sshd[24543]: Invalid user piotrs from
201.63.24.60
Nov 4 07:21:45 myhope sshd[24543]: Failed password for invalid user
piotrs from 201.63.24.60 port 46229 ssh2
Nov 4 07:21:48 myhope sshd[24545]: reverse mapping checking
getaddrinfo for 201-63-24-60.customer.tdatabrasil.net.br [201.63
Nov 4 07:21:48 myhope sshd[24545]: Invalid user misiek from
201.63.24.60
Nov 4 07:21:48 myhope sshd[24545]: Failed password for invalid user
misiek from 201.63.24.60 port 46309 ssh2
Nov 4 07:21:50 myhope sshd[24547]: reverse mapping checking
getaddrinfo for 201-63-24-60.customer.tdatabrasil.net.br [201.63
Nov 4 07:21:50 myhope sshd[24547]: Invalid user opel from 201.63.24.60
Nov 4 07:21:50 myhope sshd[24547]: Failed password for invalid user
opel from 201.63.24.60 port 46392 ssh2
Nov 4 07:21:59 myhope sshd[24549]: reverse mapping checking
getaddrinfo for 201-63-24-60.customer.tdatabrasil.net.br [201.63
Nov 4 07:21:59 myhope sshd[24549]: Invalid user pablo from
201.63.24.60
Nov 4 07:21:59 myhope sshd[24549]: Failed password for invalid user
pablo from 201.63.24.60 port 46468 ssh2
Nov 4 07:22:01 myhope sshd[24551]: reverse mapping checking
getaddrinfo for 201-63-24-60.customer.tdatabrasil.net.br [201.63
...
....
...

This is normal if you have and want opened 22 port. Hopwever you may use port
knocking.

How shall I stop hackers attemps?
Thank you for help

It's hard. There are many ways, how to achieve more secured box. You may block
IPs where the attacks come from by logwatch for example. You may permit root to
logon via ssh. You should choose strong password or permit login only by keys.

regards,
--
http://www.fi.muni.cz/~xslaby/ Jiri Slaby
.

Relevant Pages

  • Re: sshd question
    ... Three days ago my Linux box stopped ... piotrs from 201.63.24.60 port 46229 ssh2 ... Couple of things on securing ssh. ...
    (comp.os.linux.networking)
  • Security -- for Linux Server
    ... I have a linux box which remain open all the time and is having ... Actually I use this box for remote login. ... from 64.182.3.46 port 46843 ssh2 ...
    (comp.os.linux.security)
  • sshd question
    ... I am a newbie with Linux. ... piotrs from 201.63.24.60 port 46229 ssh2 ... How shall I stop hackers attemps? ...
    (comp.os.linux.networking)
  • Re: uCLinux on Samsung S3C4510B (ARM7TDMI) based wireless router
    ... serial port or printer port, ... linux or further. ... > router, access point and print server, all at the same time, preferably ... > and openap-ng) options as well as uCLinux. ...
    (comp.os.linux.embedded)
  • Re: Unix / Linux Program Port to OS/2 with GCC and LIBC: HowTo Support / Use of Unix Function "Symb
    ... The discussion of the MPlayer port comes up with the above subject. ... OS/2 port on Hobbes: http://hobbes.nmsu.edu/cgi-bin/h-search?key=coreutils_5.93 ... The Linux symbolic link function is introduced ...
    (comp.os.os2.multimedia)