[Charlug] Server break-in attempt through NAGIOS user
David Simmons
dave at dgnal.net
Fri Sep 7 20:49:17 EDT 2007
> Three quick points:
> 1) I use the sshd_config
"AllowUsers" option to define which users can log
> in
via ssh. None of the "common/typical" users are in this list.
I'll log
> in as on a non-common account and then su to the
standard account if needed.
Have been thinking about
this....what the Nagios account was doing was SSHing OUT to attempt ssh
connections with a bunch of other machines.....so while sshD_config has a
'AllowUser' config option...that wouldn't have really helped?
=
I did:
=
[root at www4 opt]# ls -la /usr/bin/ssh
-rwxr-xr-x
1 root root 292520 Mar 21 15:42 /usr/bin/ssh
=
Ah-ha!=A0 so
what I should probably do is a 'chmod 700'.....is there a reason that any
user should have r_x access to ssh OUT??
=
> 2) I use the
sshd_config "Port" option to something other than port 22.
> This significantly reduced the number of ssh script attacks that I
was
> seeing. Obviously someone can still find the port if their
interested,
> but let's not make it too easy.
> 3)
Finally, I use the hosts.allow "sshd" option to specify what
IP
> addresses can connect via ssh.
Yes....good ideas
- but not helpful to prevent this type of account....poor passwords I
believe are/were the real culprit?!?!
=
Thanks!!=A0 this is
great info!
=
=A0- dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://charlug.org/pipermail/charlug/attachments/20070907/da996e62/att=
achment.htm
More information about the CharLUG
mailing list