Attempted SSH Logins

Steve Kozakoff kozaksj at shands.ufl.edu
Tue Aug 3 18:36:25 UTC 2004


I know some of the more experienced people on the list know this, so
bear with me.

FYI-
This will prevent direct remote login from root, by changing the
sshd_config file. Add the line:

PermitRootLogin no

Anyone with a shell account on the system can still attempt su or sudo,
but, su and sudo can also be limited to certain users, see the url below
for the "how-to". 

http://www.redhat.com/docs/manuals/linux/RHL-8.0-Manual/security-guide/s1-wstation-privileges.html


I know this is a pia, but it will _help_ to keep your box(es) from
getting hacked!

-Steve


>>> halln at otc.edu 8/3/2004 12:22:50 >>>
Hi all.

 

I have been monitoring our logs over the past several weeks using
logwatch
and have noticed several of these entries (known entries omitted):

 

sshd:

   Invalid Users:

      Unknown Account: 5 Time(s)

   Authentication Failures:

      test (server.bes1.com ): 2 Time(s)

      root (server.bes1.com ): 3 Time(s)

      unknown (server.bes1.com ): 4 Time(s)

 

The source addresses vary.  I always see the same accounts from
different
addresses with a different number of tries.  When I see these, there is
only
one source, never a mix of sources.  The next day, it might be a
different
source, but it is the only one.

 

Is anybody else seeing this in their logs where I shouldn't be as
worried or
is this directed at us?

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~

Nathaniel Hall

Intrusion Detection and Firewall Technician

Ozarks Technical Community College -- Office of Computer Networking

 

halln at otc.edu 

417-799-0552

 

-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe 
https://www.redhat.com/mailman/listinfo/redhat-list





More information about the redhat-list mailing list