Re: sshd question

On Fri, 03 Nov 2006 23:47:06 -0800, Pythoni wrote:

I am a newbie with Linux. A friend of mine setup a Linux box for me and
now I try to understand and learn about Linux.
Three days ago my Linux box stopped( dark screen, no response) and I
had to restart.
The server was possibly hacked.
How can I found out the way, the hacker used against my Linux box?


Today I saw( in log) again

Nov 4 07:21:45 myhope sshd[24543]: Invalid user piotrs from
201.63.24.60
Nov 4 07:21:45 myhope sshd[24543]: Failed password for invalid user
piotrs from 201.63.24.60 port 46229 ssh2
Nov 4 07:21:48 myhope sshd[24545]: reverse mapping checking
getaddrinfo for 201-63-24-60.customer.tdatabrasil.net.br [201.63
Nov 4 07:21:48 myhope sshd[24545]: Invalid user misiek from
201.63.24.60
Nov 4 07:21:48 myhope sshd[24545]: Failed password for invalid user
misiek from 201.63.24.60 port 46309 ssh2
Nov 4 07:21:50 myhope sshd[24547]: reverse mapping checking
getaddrinfo for 201-63-24-60.customer.tdatabrasil.net.br [201.63
Nov 4 07:21:50 myhope sshd[24547]: Invalid user opel from 201.63.24.60
Nov 4 07:21:50 myhope sshd[24547]: Failed password for invalid user
opel from 201.63.24.60 port 46392 ssh2
Nov 4 07:21:59 myhope sshd[24549]: reverse mapping checking
getaddrinfo for 201-63-24-60.customer.tdatabrasil.net.br [201.63
Nov 4 07:21:59 myhope sshd[24549]: Invalid user pablo from
201.63.24.60
Nov 4 07:21:59 myhope sshd[24549]: Failed password for invalid user
pablo from 201.63.24.60 port 46468 ssh2
Nov 4 07:22:01 myhope sshd[24551]: reverse mapping checking
getaddrinfo for 201-63-24-60.customer.tdatabrasil.net.br [201.63
...
....
...



How shall I stop hackers attemps?
Thank you for help
L


Couple of things on securing ssh.

1) Do you really need outside access to your box?
if not, make ssh bind to your local, private
ip address.

2) if you need outside access, disable passwords and only use
keys. This means that anyone that wants to connect has to
already have a ssh setup on your box. in the sshd_config file
use:
PasswordAuthentication no
just make sure you have your keys set up so you can access it.;)

3) do you have a list of specific ip addresses that will use ssh to
connect to your box? If so, use iptables to limit what IP Addresses
can use port 22.

if you only use keys that will reduce the guessing at userid's and
passwords. If you can further limit access by IP Address, they will
reduce hack attemps even more.

--
D.A.M. - Mothers Against Dyslexia

see http://www.jacksnodgrass.com for my contact info.

jack - Grapevine/Richardson
.

Relevant Pages

  • Re: root trying to ssh but being denied
    ... > users to ssh to this machine. ... they were both from machines running Linux: ... PORT STATE SERVICE ... TCP Sequence Prediction: Class=random positive increments ...
    (comp.os.linux.security)
  • Re: Odd ssh attacks?
    ... port 57194 ssh2 ... The first thing to do is to set ssh so users have to use a key rather ... IT Services Division, Kilburn Building, Oxford Road, Manchester M13 9PL. ...
    (Ubuntu)
  • Re: inbound connection through wireless router
    ... Installing an embedded-device Linux on a router sounds a bit daunting ... Can that port forwarding be done on an out-of-the box router? ... Can this be set up in such a way that I can still ssh into my home ...
    (uk.comp.os.linux)
  • Re: executing commands from telnet from D3
    ... "Would the ssh command on the remote linux box allow me to get to the ... your user on the linux box would have to first log ... to port 4444/tcp. ...
    (comp.databases.pick)
  • SSH protocol2 without a password
    ... Have read 'ssh without a password' and apparently the problem lingers. ... # similar for protocol version 2 ... server listening on 0.0.0.0 Port 22 ... failed publickey for root from 192.168.0.1 port 32769 ssh2 ...
    (comp.security.ssh)