Attempted SSH Logins
Bob Smith
bob at netprt.com
Tue Aug 3 19:06:01 UTC 2004
Another thing that works is to also set the root shell to /sbin/nologin,
then login under another account and use sudo. Yes, another PIA, but
that also prevents access.
-Bob
Steve Kozakoff wrote:
>I know some of the more experienced people on the list know this, so
>bear with me.
>
>FYI-
>This will prevent direct remote login from root, by changing the
>sshd_config file. Add the line:
>
>PermitRootLogin no
>
>Anyone with a shell account on the system can still attempt su or sudo,
>but, su and sudo can also be limited to certain users, see the url below
>for the "how-to".
>
>http://www.redhat.com/docs/manuals/linux/RHL-8.0-Manual/security-guide/s1-wstation-privileges.html
>
>
>I know this is a pia, but it will _help_ to keep your box(es) from
>getting hacked!
>
>-Steve
>
>
>
>
>>>>halln at otc.edu 8/3/2004 12:22:50 >>>
>>>>
>>>>
>Hi all.
>
>
>
>I have been monitoring our logs over the past several weeks using
>logwatch
>and have noticed several of these entries (known entries omitted):
>
>
>
>sshd:
>
> Invalid Users:
>
> Unknown Account: 5 Time(s)
>
> Authentication Failures:
>
> test (server.bes1.com ): 2 Time(s)
>
> root (server.bes1.com ): 3 Time(s)
>
> unknown (server.bes1.com ): 4 Time(s)
>
>
>
>The source addresses vary. I always see the same accounts from
>different
>addresses with a different number of tries. When I see these, there is
>only
>one source, never a mix of sources. The next day, it might be a
>different
>source, but it is the only one.
>
>
>
>Is anybody else seeing this in their logs where I shouldn't be as
>worried or
>is this directed at us?
>
>
>
>
>
>~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>Nathaniel Hall
>
>Intrusion Detection and Firewall Technician
>
>Ozarks Technical Community College -- Office of Computer Networking
>
>
>
>halln at otc.edu
>
>417-799-0552
>
>
>
>
>
More information about the redhat-list
mailing list