help, remote root logon
Bristol, Gary L.
gbristol at ou.edu
Sat Jan 30 17:34:18 UTC 2010
What you should keep in mind is that you should never allow ROOT to logon remotely.
You can disable that in the SSHD conf file by changing the #PermitRootLogin yes entry to PermitRootLogin no
Then do a restart of sshd
You should always login as a regular user and then either sudo the privileged commands you want to run or su to root.
Message: 3
Date: Fri, 29 Jan 2010 22:47:26 -0800
From: Jose R R <jose.r.r at metztli.com>
To: General Red Hat Linux discussion list <redhat-list at redhat.com>
Subject: Re: help
Message-ID:
<a81fae451001292247s1bb3b940i7e7ef28b9bd30c8e at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
On Wed, Jan 27, 2010 at 9:59 PM, Joy Methew <ml4joy at gmail.com> wrote:
> Hello all,
> ? ? ? ? ? ? ? ? ? ?i m using RHEL5.3 as a my mail server with real ip.i
> configure my system mostly remotely.last login time of my system 27 jan
> from ? this ip 118.129.153.43.
> than i try to login at 28 jan in morning so i can`t got authentication as
> root from my last password.
> than i reboot the system reset my password.
> i login as a root than i run "last" command i m sending tha first 10 lines
> of last command...i thinks someone hack my system.i am sending history
> command output.
> now i remove .ssh directory and /var/tmp/*
>
> please suggest wat is this??
>
> thanks
>
> last command out put:
> root ? ? pts/1 ? ? ? ?117.199.118.234 ?Thu Jan 28 10:58 ? still logged in
> root ? ? pts/0 ? ? ? ?117.199.118.234 ?Thu Jan 28 10:49 ? still logged in
> root ? ? tty1 ? ? ? ? ? ? ? ? ? ? ? ? ?Thu Jan 28 10:48 - 10:52 ?(00:04)
> reboot ? system boot ?2.6.18-128.el5PA Thu Jan 28 10:45 ? ? ? ? ?(00:25)
> root ? ? pts/2 ? ? ? ?165.red-79-153-1 Thu Jan 28 01:42 - 01:52 ?(00:09)
> root ? ? pts/2 ? ? ? ?165.red-79-153-1 Wed Jan 27 23:02 - 01:27 ?(02:25)
> root ? ? pts/2 ? ? ? ?165.red-79-153-1 Wed Jan 27 22:33 - 22:34 ?(00:00)
> root ? ? pts/3 ? ? ? ?165.red-79-153-1 Wed Jan 27 22:32 - 22:33 ?(00:00)
> root ? ? pts/2 ? ? ? ?118.129.153.43 ? Wed Jan 27 22:31 - 22:32 ?(00:01)
> root ? ? pts/2 ? ? ? ?117.199.114.189 ?Wed Jan 27 15:47 - 15:51 ?(00:03)
>
> What is 165.red-79........this is nt my ip.
>
>
> History Output
Here is an interesting twist on the story. On January 29 at 16:01:26
(America/Tijuana time zone or GMT-8) IP 118.129.153.43 attempted to
log into my host using root username. After a couple(actually 3)
tries it was blocked and I have notified security at bora.net,
cert at krcert.or.kr
Jan 29 16:01:26 [myHost-name] sshd[5758]: User root from 118.129.153.43 [...]
Jan 29 16:01:26 [myHost-name] sshd[5758]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=118.129.153.43 user=root
Jan 29 16:01:26 [myHost-name] sshd[5760]: User root from 118.129.153.43 [...]
Jan 29 16:01:26 [myHost-name] sshd[5760]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=118.129.153.43 user=root
Jan 29 16:01:26 [myHost-name] sshd[5761]: User root from 118.129.153.43 [...]
Jan 29 16:01:26 [myHost-name] sshd[5761]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=118.129.153.43 user=root
Jan 29 16:01:28 [myHost-name] sshd[5758]: Failed password for invalid
user root from 118.129.153.43 port 62771 ssh2
Jan 29 16:01:28 [myHost-name] sshd[5760]: Failed password for invalid
user root from 118.129.153.43 port 56897 ssh2
Jan 29 16:01:29 [myHost-name] sshd[5761]: Failed password for invalid
user root from 118.129.153.43 port 48669 ssh2
Best Regards.
--
Jose R R
http://www.metztli-it.com
---------------------------------------------------------------------------------------------
IBM Lotus Symphony supported on GNU/Linux, Mac OS, and Windows.
---------------------------------------------------------------------------------------------
Daylight Saving Time in USA & Canada starts: Sunday 08 March 2009
---------------------------------------------------------------------------------------------
More information about the redhat-list
mailing list