[LAD] [ot] - NEED some security advise PLEASE!
nando at ccrma.Stanford.EDU
Sun Feb 15 03:01:29 UTC 2009
On Sun, 2009-02-15 at 01:14 +0000, pete shorthose wrote:
> On Sun, 15 Feb 2009 00:43:17 +0100
> Fons Adriaensen <fons at kokkinizita.net> wrote:
> > On Sat, Feb 14, 2009 at 11:55:13PM +0100, Julien Claassen wrote:
> > > 8226 ? Ss 0:00 sshd: unknown [priv]
> > > 8227 ? S 0:00 sshd: unknown [net]
> > > Just before that I only saw "sshd [accept]" and "sshd [net]".
> > > Shutdown sshd and made new password and restarted sshd. Now it's the same.
> > > Can I easily check where it's coming from and what it's doing. I don't see
> > > anything besides those two lines. No other strange processes.
> > Someone is trying a ssh login - usually from the former
> > east block - and probably trying a list of user names
> > and passwords. Do (as root) tail -50 /var/log/secure
> > to see the show.
> > It happens here all the time. As long as you don't have
> > any easily guessed user/passwd combinations the danger
> > is limited, and closing your network connection for a
> > minute usually makes them go away. Configuring sshd to
> > allow only dsa authentication is better of course.
> I changed the port sshd runs on because I got sick of the
> clickety click as logs were written due to brute force login
> attempts. Not an option for everyone but it did the trick
> nicely for me. Port knocking is another option.
Another option is a service called denyhosts, it adds entries
to /etc/hosts.deny for each host from which a defined number of failed
logins happen. So the attacking hosts are dropped out as they try
passwords and hopefully fail...
More information about the Linux-audio-dev