help, remote root logon
Jose R R
jose.r.r at metztli.com
Sat Jan 30 21:55:45 UTC 2010
> Message: 3
> Date: Fri, 29 Jan 2010 22:47:26 -0800
> From: Jose R R <jose.r.r at metztli.com>
> To: General Red Hat Linux discussion list <redhat-list at redhat.com>
> Subject: Re: help
> Message-ID:
> <a81fae451001292247s1bb3b940i7e7ef28b9bd30c8e at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> On Wed, Jan 27, 2010 at 9:59 PM, Joy Methew <ml4joy at gmail.com> wrote:
>> Hello all,
>> ? ? ? ? ? ? ? ? ? ?i m using RHEL5.3 as a my mail server with real ip.i
>> configure my system mostly remotely.last login time of my system 27 jan
>> from ? this ip 118.129.153.43.
>> than i try to login at 28 jan in morning so i can`t got authentication as
>> root from my last password.
>> than i reboot the system reset my password.
>> i login as a root than i run "last" command i m sending tha first 10 lines
>> of last command...i thinks someone hack my system.i am sending history
>> command output.
>> now i remove .ssh directory and /var/tmp/*
>>
>> please suggest wat is this??
>>
>> thanks
>>
>> last command out put:
>> root ? ? pts/1 ? ? ? ?117.199.118.234 ?Thu Jan 28 10:58 ? still logged in
>> root ? ? pts/0 ? ? ? ?117.199.118.234 ?Thu Jan 28 10:49 ? still logged in
>> root ? ? tty1 ? ? ? ? ? ? ? ? ? ? ? ? ?Thu Jan 28 10:48 - 10:52 ?(00:04)
>> reboot ? system boot ?2.6.18-128.el5PA Thu Jan 28 10:45 ? ? ? ? ?(00:25)
>> root ? ? pts/2 ? ? ? ?165.red-79-153-1 Thu Jan 28 01:42 - 01:52 ?(00:09)
>> root ? ? pts/2 ? ? ? ?165.red-79-153-1 Wed Jan 27 23:02 - 01:27 ?(02:25)
>> root ? ? pts/2 ? ? ? ?165.red-79-153-1 Wed Jan 27 22:33 - 22:34 ?(00:00)
>> root ? ? pts/3 ? ? ? ?165.red-79-153-1 Wed Jan 27 22:32 - 22:33 ?(00:00)
>> root ? ? pts/2 ? ? ? ?118.129.153.43 ? Wed Jan 27 22:31 - 22:32 ?(00:01)
>> root ? ? pts/2 ? ? ? ?117.199.114.189 ?Wed Jan 27 15:47 - 15:51 ?(00:03)
>>
>> What is 165.red-79........this is nt my ip.
>>
>>
>> History Output
>
> Here is an interesting twist on the story. On January 29 at 16:01:26
> (America/Tijuana time zone or GMT-8) IP 118.129.153.43 attempted to
> log into my host using root username. After a couple(actually 3)
> tries it was blocked and I have notified security at bora.net,
> cert at krcert.or.kr
>
> Jan 29 16:01:26 [myHost-name] sshd[5758]: User root from 118.129.153.43 [...]
> Jan 29 16:01:26 [myHost-name] sshd[5758]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=118.129.153.43 user=root
> Jan 29 16:01:26 [myHost-name] sshd[5760]: User root from 118.129.153.43 [...]
> Jan 29 16:01:26 [myHost-name] sshd[5760]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=118.129.153.43 user=root
> Jan 29 16:01:26 [myHost-name] sshd[5761]: User root from 118.129.153.43 [...]
> Jan 29 16:01:26 [myHost-name] sshd[5761]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=118.129.153.43 user=root
> Jan 29 16:01:28 [myHost-name] sshd[5758]: Failed password for invalid
> user root from 118.129.153.43 port 62771 ssh2
> Jan 29 16:01:28 [myHost-name] sshd[5760]: Failed password for invalid
> user root from 118.129.153.43 port 56897 ssh2
> Jan 29 16:01:29 [myHost-name] sshd[5761]: Failed password for invalid
> user root from 118.129.153.43 port 48669 ssh2
>
> Best Regards.
>
>
> --
> Jose R R
> http://www.metztli-it.com
> ---------------------------------------------------------------------------------------------
> IBM Lotus Symphony supported on GNU/Linux, Mac OS, and Windows.
> ---------------------------------------------------------------------------------------------
> Daylight Saving Time in USA & Canada starts: Sunday 08 March 2009
> ---------------------------------------------------------------------------------------------
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
On Sat, Jan 30, 2010 at 9:34 AM, Bristol, Gary L. <gbristol at ou.edu> wrote:
> What you should keep in mind is that you should never allow ROOT to logon remotely.
Indeed. The point I desired to make is the fact that IP address
118.129.153.43 (*not* questioned by the initial poster even if listed
in the output of her/his last command) is *itself* attempting to crack
into other systems. Whether the IP in question is static or
dynamically assigned, of course, will shed light on the coincidental
nature of this issue or the fact that the original poster might
himself/herself be a cracker who has been cracked.
> You can disable that in the SSHD conf file by changing the #PermitRootLogin yes entry to PermitRootLogin no
And further narrowing the surface of entry, you can add (if not
already there) a line at the end for the SSHD config to permit only
the non-root usernames allowed to log into the remote system:
AllowUsers [user1] [user2 at given.ip.add.ress] [user3] [user_etc]
Please see http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/openssh.html#AEN21576
> Then do a restart of sshd
>
> You should always login as a regular user and then either sudo the privileged commands you want to run or su to root.
>
>
And install Fail2ban http://www.fail2ban.org , as well, configuring it
to allow x number of log in attempts (default is 6) and subsequently
ban the user (if s/he fails) for an y time frame (also configurable).
> Best Regards.
>
>
> --
> Jose R R
> http://www.metztli-it.com
> ---------------------------------------------------------------------------------------------
> IBM Lotus Symphony supported on GNU/Linux, Mac OS, and Windows.
> ---------------------------------------------------------------------------------------------
> Daylight Saving Time in USA & Canada starts: Sunday 08 March 2009
> ---------------------------------------------------------------------------------------------
More information about the redhat-list
mailing list