[PLUG] Got hacked last night - HELP!
Sean Whitney
sean at fork.com
Mon Oct 4 16:25:03 UTC 2004
You might also add
AllowUsers huey duey luey
to /etc/ssh/sshd_config
This limits who (users) can log into the box using
ssh.
I would also recommend a separate firewall solution.
I have a webserver on the internet, behind a separate linux firewall.
It's on a separate interface, so even if it's hacked, getting from there
into my home machines is a different challenge.
Sean
On Mon, 2004-10-04 at 16:03, Sandy Herring wrote:
> On Mon, 04 Oct 2004, Bill Thoen wrote:
> > Well, lucky me. My RH 8 box got hacked again. That makes Linux just as
> > insecure as Windows. The only visible damage (so far) was that my home web
> > page got changed to "un-root crew ownz you."
> >
> > But what happened? There is nobody who should be creating users named
> > 'luis' or 'dudu', but here's what I have in /var/log/secure.1:
> [...log snipped...]
> >
> > What else should I check? At the very least how do I keep 63.164.60.12 out
> > of my SSH system?
> >
> > - Bill Thoen
>
> Is your version of SSH uptodate? (what does `ssh -V' output? 3.9p1 is
> the latest). If not, get current...
>
> ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/rpm/
> (see the README file)
>
> What does your Protocol param in /etc/ssh/sshd_config permit? You should
> only allow version 2... `man 5 sshd_config'.
>
> The first thing you need to do is make certain you've closed any holes
> in your ssh installation. You can keep unwanted visitors at bay via
> tcp_wrappers. e.g.,
>
> /etc/hosts.allow
> #insert ip addresses you want to grant access via SSH
> sshd: 123.123.0.234 192.168.0.
>
> /etc/hosts.deny
> sshd: ALL
>
> This allows access via ssh to 123.123.0.234 and anyone in the
> 192.168.0/24 (Class C) address space. `man 5 hosts_access' for more.
>
> hth,
> Sandy
--
Sean Whitney <sean at fork.com>
More information about the PLUG
mailing list