[LAD] [ot] - NEED some security advise PLEASE!
arnold at arnoldarts.de
Sun Feb 15 09:32:25 UTC 2009
On Sunday 15 February 2009 00:43:17 Fons Adriaensen wrote:
> On Sat, Feb 14, 2009 at 11:55:13PM +0100, Julien Claassen wrote:
> > 8226 ? Ss 0:00 sshd: unknown [priv]
> > 8227 ? S 0:00 sshd: unknown [net]
> > Just before that I only saw "sshd [accept]" and "sshd [net]".
> > Shutdown sshd and made new password and restarted sshd. Now it's the
> > same. Can I easily check where it's coming from and what it's doing. I
> > don't see anything besides those two lines. No other strange processes.
> Someone is trying a ssh login - usually from the former
> east block - and probably trying a list of user names
> and passwords. Do (as root) tail -50 /var/log/secure
> to see the show.
> It happens here all the time. As long as you don't have
> any easily guessed user/passwd combinations the danger
> is limited, and closing your network connection for a
> minute usually makes them go away. Configuring sshd to
> allow only dsa authentication is better of course.
I have a script that filters the log-files for "invalid user", extracts the IP
and adds it to the RECENT table (which is used for blocking for five minutes).
But some of these attackers have botnets which means a lot of IP's to be
blocked before they finished their username-list...
From my experience using key-logins only helps when you have only linux users.
Most windows people don't really understand the concepts of security, public
keys and such.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 197 bytes
Desc: This is a digitally signed message part.
More information about the Linux-audio-dev