[Novalug] POSSIBLE BREAK-IN in auth.log via ssh

Jon LaBadie novalugml@jgcomp.com
Thu Feb 12 03:26:21 EST 2009


On Thu, Feb 12, 2009 at 12:57:21AM -0500, Norman Bird wrote:
> I decided to check the auth.log and started freaking out because I saw alot
> of POSSIBLE BREAK-IN lines. then I saw roon loging in so I was panicking.
> But as I really reviewed them it seems that the actual root logins were by
> CRON and the nobody logins were system related. Please look this over and
> give any advice and particularily what should I do.
> 
> Somewhere online said I should "boot with a root kit checker", feel free to
> advise on this.
> 
> I do need to log in via putty via ssh alot so I cant totally disable it. I
> will beef up my password now and maybe change the port, but I need input on
> that please, or a good site.
> 

Most unix/linux systems provide a way to disallow root login from
anywhere except the console.  On a system set up that way an intruder
would first have to compromise a regular user password and then the
root password while doing an su.

If you only need to putty/ssh within your lan, you could block
port 22 at your router firewall.  Alternatively, turn port 22
off when you are home and only back on when you are away.

I've had a few attempts at breakins where someone was guessing
passwords (i.e. hundreds of attempts from one or a limited #
of IP addresses).  When I saw it in progress I shut down the
port.  Some must have been automated, because even after an
hour or overnight, when I turned the port on again it was
still there.

Most of these attempts have been from places like china or
rumania.  A couple of times I tracked down the ISP and sent
a note about the abuse.  Never heard anything back.

Jon



-- 
Jon H. LaBadie                  jon@jgcomp.com
 JG Computing
 12027 Creekbend Drive		(703) 787-0884
 Reston, VA  20194		(703) 787-0922 (fax)



More information about the Novalug mailing list