Changing SSH and Apache ports

Dotan Cohen dotancohen at gmail.com
Fri Dec 16 16:54:57 UTC 2005


On 12/16/05, Christofer C. Bell <christofer.c.bell at gmail.com> wrote:
> On 12/15/05, Dotan Cohen <dotancohen at gmail.com> wrote:
> >
> > I know that this won't save the system from a determined hacker, but
> > thankfully I haven't been attacked by one yet. I do get a nice long
> > daily log report though:
> >
> > And I am constantly being tried on sshd:
> >     Authentication Failures:
> >        unknown (63.211.110.142): 853 Time(s)
> >        root (63.211.110.142): 129 Time(s)
>
> [ . . . snipped . . . ]
>
> >        operator (63.211.110.142): 1 Time(s)
> >        rpm (202.129.48.100): 1 Time(s)
> >        rpm (63.211.110.142): 1 Time(s)
> >        sshd (202.129.48.100): 1 Time(s)
> >     Invalid Users:
> >        Unknown Account: 959 Time(s)
>
> You may look into using the AllowUsers directive in
> /etc/sshd/sshd_config.  While it won't prevent people from probing
> your system, it does provide an additional level of protection against
> a guessed password.  If you do set up AllowUsers, your log will end up
> looking something like this instead:
>
> **Unmatched Entries**
>  User bin from 61.66.132.60 not allowed because not listed in AllowUsers
>  User adm from 61.66.132.60 not allowed because not listed in AllowUsers
>  User lp from 61.66.132.60 not allowed because not listed in AllowUsers
>  User lp from 61.66.132.60 not allowed because not listed in AllowUsers
>  User daemon from 61.66.132.60 not allowed because not listed in AllowUsers
>  User ftp from 61.66.132.60 not allowed because not listed in AllowUsers
>  User games from 61.66.132.60 not allowed because not listed in AllowUsers
>  User gopher from 61.66.132.60 not allowed because not listed in AllowUsers
>  User halt from 61.66.132.60 not allowed because not listed in AllowUsers
>  User lp from 61.66.132.60 not allowed because not listed in AllowUsers
>  User mail from 61.66.132.60 not allowed because not listed in AllowUsers
>
> I suppose this is only helpful if you have accounts that have assigned
> passwords that you do not want logged into via ssh remotely.
>
> Chris

I just spent a few minutes googling the subject, and it appears that
apache, mail, etc dont have passwords at all. So why do they bother
trying to SSH in on those names? Or will the root password let them in
(I'd try it before I ask, but I'm not home now and the machine is
behind a new router that I haven't configured for port forwarding
yet)?

The tries on user john, bill, etc I can understand. I wish that I
could get a look at the passwords that they were trying- might be
useful.

If root is disabled from logging in via ssh, and I only have one other
real user on the system (who I WANT to let in), then is there no real
reason to use AllowUsers?

Also, if I post something here that I copied from the command line, like:
[sharon at localhost] $

is this insecure? Because that is saying "Here! Use user 'sharon' to
SSH me!". Should I be more careful in the future with that?

Dotan Cohen
http://technology-sleuth.com/short_answer/what_are_the_advantages_of_lcd_monitors.html




More information about the fedora-list mailing list