Unix questions - Re: newbie question: if sshd reports a few hundred invalid attempted logins, is that a

This is Interesting: Free IT Magazines  
Home > Archive > Unix questions > July 2006 > Re: newbie question: if sshd reports a few hundred invalid attempted logins, is that a





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author Re: newbie question: if sshd reports a few hundred invalid attempted logins, is that a
Jake Barnes

2006-07-02, 1:44 pm


Moe Trin wrote:
> On 24 Jun 2006, in the Usenet newsgroup comp.unix.questions, in article
> <1151194918.615104.129530@c74g2000cwc.googlegroups.com>, Jake Barnes wrote:
>
>
> Try to avoid being logged in as root. You can always use 'su -' to become
> root for the few things where you must be root. Ignoring the potential
> security hazard, *nix believes that root knows what root is doing, and
> the system will do exactly what you tell it to do - which may very well
> NOT be exactly what you planned or hoped for.

Thanks much. For now, I'm logged in as root a lot because I'm trying to
customize my machine. Customizing seems like a good way to learn the
machine. Back in the 1990s, I learned the Mac OS and then Windows in
part by customizing the machine.

I don't yet have valuable information on this machine, so there isn't
much that can go wrong if I destroy it or if it gets hacked.



> Your distribution should have configured your Mail Transfer Agent (you
> don't identify the distribution - could be sendmail, postfix, exim, or
> even qmail) to forward mail to root to a specific user. For sendmail,
> this is set in /etc/aliases

My distribution in Red Hat EL 3. When I run "ps -A" I see an instance
of sendmail.



> 2. Do you really need your port 22 open to the entire world? or can you
> narrow it down a lot.
>
> 3. Consider "Security By Obscurity" and move your SSH daemon to a less
> obvious port - some random number like
>
> [compton ~]$ ls -lrt | tail -4 | head -1 | awk '{print $5}'
> 2273
> [compton ~]$

I can't figure out what the above means, especially the bit with awk.



> 4. Run the command 'netstat -tuan' and see what is actually open on your
> system. As a newbie, you _REALLY_ don't want everything flapping in the
> breeze. There are a number of HOWTOs that should have been installed on
> your system - probably in /usr/share/HOWTO/ that can help buttoning down
> your system.

I ran netstat -tuan:

[root@localhost mnt 15:43:08]# netstat -tuan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address
State
tcp 0 0 0.0.0.0:32768 0.0.0.0:*
LISTEN
tcp 0 0 127.0.0.1:32769 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:515 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:37 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:199 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:139 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:13 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:6000 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:21 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:*
LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:*
LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:445 0.0.0.0:*
LISTEN
tcp 0 0 127.0.0.1:631 127.0.0.1:32770
ESTABLISHED
tcp 0 0 192.168.1.2:32978 64.233.167.99:80
ESTABLISHED
tcp 0 0 192.168.1.2:32979 64.233.167.99:80
ESTABLISHED
tcp 0 0 192.168.1.2:32912 65.17.201.138:80
TIME_WAIT
tcp 0 0 192.168.1.2:32994 68.142.213.135:80
TIME_WAIT
tcp 0 0 192.168.1.2:32993 68.142.213.135:80
TIME_WAIT
tcp 0 0 192.168.1.2:32990 68.142.213.135:80
TIME_WAIT
tcp 0 0 192.168.1.2:32989 68.142.213.135:80
TIME_WAIT
tcp 0 0 192.168.1.2:32909 209.18.34.39:80
TIME_WAIT
tcp 0 0 192.168.1.2:32972 209.18.34.38:80
ESTABLISHED
tcp 0 0 192.168.1.2:32973 209.18.34.38:80
ESTABLISHED
tcp 0 0 127.0.0.1:32770 127.0.0.1:631
ESTABLISHED
udp 0 0 0.0.0.0:32768 0.0.0.0:*
udp 0 0 192.168.1.2:137 0.0.0.0:*
udp 0 0 0.0.0.0:137 0.0.0.0:*
udp 0 0 192.168.1.2:138 0.0.0.0:*
udp 0 0 0.0.0.0:138 0.0.0.0:*
udp 0 0 0.0.0.0:161 0.0.0.0:*
udp 0 0 0.0.0.0:814 0.0.0.0:*
udp 0 0 0.0.0.0:68 0.0.0.0:*
udp 0 0 0.0.0.0:111 0.0.0.0:*
udp 0 0 0.0.0.0:631 0.0.0.0:*
udp 0 0 192.168.1.2:123 0.0.0.0:*
udp 0 0 127.0.0.1:123 0.0.0.0:*
udp 0 0 0.0.0.0:123 0.0.0.0:*



> 5. Point your browser at the newsgroup comp.os.linux.security for a lot
> more assistance. This happens all the time. Do understand that it would be
> very helpful if you identified which of the 350+ Linux distributions you
> are using. Also see that your system is up-to-date. Most popular
> distributions today come with automated tools to help keep the systems
> current.

Thanks for all the help. Apparently Red Hat Enterprise 3 does not come
with yum installed. I tried to get it installed, but I ran into
"dependency hell". It needed other packages that I did not have. It got
complicated and I got frustrated. Do you know of a place where I could
get it and all of its dependencies?

Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com