Date: Wed, 15 Sep 2004 12:21:29 +0930 From: Tim Aslat <tim@spyderweb.com.au> To: freebsd-questions@freebsd.org Subject: Re: increasing failed sshd logins/clearing breadcrumb trails Message-ID: <20040915122129.240f12fa@bofh.spyderweb.com.au> In-Reply-To: <4147A795.7070400@wingfoot.org> References: <20040915021543.85849.qmail@web52907.mail.yahoo.com> <4147A795.7070400@wingfoot.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In the immortal words of Glenn Sieb <ges+lists@wingfoot.org>... > I've been getting this for weeks. They're all under APNIC, and emails > to abuse@the involved networks has gone unanswered. I've been getting these as well, but from a multitude of address spaces. Not just APNIC. > The easiest way to protect this is to check your sshd_config and set: > PermitRootLogin no Agreed. However if you 'Absolutely' require something to be done remotely as root, make it a pub/priv key sequence and limit the command using the keys. ie: change sshd_config to PermitRootLogin without-password and set up command="/usr/local/bin/rsync --server --daemon ." ssh-dss <snip actual key> in the authorized_keys file. This limits the abilities of the remoe login to just running the rsync command with the specified switches. Anything else just doesn't work. > Which, if you're exposed to the 'Net would be a sane practice--force > people to log in as themselves and su (or sudo or sudoscript) to root. Very sane practice > Admittedly, I am not sure about the rest of your posting. When I run > last, (on 4.10-STABLE) it shows logins back to the 1st of September. It is possible that the box was compromised and the utmp/wtmp log removed/edited/etc, and I would start looking immediately for other traces of a possible intrusion. Cheers & good luck Tim -- Tim Aslat <tim@spyderweb.com.au> Spyderweb Consulting http://www.spyderweb.com.au Phone: +61 0401088479
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040915122129.240f12fa>