Hi, and thanks to everybody for all the useful information I have received. :) One good thing about using SSH2.4 in stead of OpenSSH is that if someone installed an RSA key in my .ssh/authorized_keys file, it would be of no use :) Besides, I have heard that the SSH1.1 protocol is unsecure, and that it is recommended to upgrade to SSH2.
One reason why I did not install any security-updates to SSH1.1 is that on the web page of www.debian.org they say that there is a remote exploit in OpenSSH (DSA-027) but it is fixed in Debian 2.2 (potato) and that is the one I installed. I did not think that I had to install all security-updates as well, figured they would be in the install. Perhaps that is something which should be clearly stated on the debian pages? Regards, Runar On Thu, 1 Mar 2001, Noah L. Meyerhans wrote: > On Thu, Mar 01, 2001 at 09:32:19AM +0100, Runar Bell wrote: > > 1) I noticed that somebody had logged in to my computer using my username. > > I can't see how they could have discovered my password (7 letters, > <snip> > > > > 2) When inspecting /var/log/messages I noticed quite a lot of attempts to > > send a buffer overflow (or something like that) on the port running > > rcp.statd. Is there some security hole there I am not aware of? I have > <snip> > > OK, here's what I think happened here. They broke in to your system via > a vulnerable rpc.statd. They might have installed some non-obvious back > door. It is hard to guess this point. However, that doesn't explain > the unauthorized login to your account. I suspect that what they did > was either replace sshd with one that provides a back door or installed > an RSA key in your .ssh/authorized_keys file. The latter action is > particularly devious, as that file probably won't get re-created when > you re-install your system or upgrade ssh or something like that. Most > people keep their home directory intact. With the RSA key in place, > though, they can log in as you without needing your password. Once > they've got access to your system there's a whole new list of root > exploits available to them. > > > 3) I couldn't find any "obvious" back-doors, but that doesn't necessarily > > mean that there were none, so be on the safe side, I re-installed linux, > > and am now using SSH2.4 from www.ssh.com. Hopefully I won't have to do > > this again. :-) > > I would not bother with this. Provided you've got security.debian.org > in your apt.sources list and subscribe to debian-security-annouce you'll > have an easier time reacting to any newly discovered ssh > vulnerabilities. With an unsupported version of SSH you'll have to > monitor their site and watch for security updates, then build them by > hand. > > > I am definitely going to install some sort of firewall, are there any > > recommendations? ipchaining is not supported in my kernel as of now, so I > > will compile a new kernel when I get the time. But, are there any > > documentation available discussing recommendations regarding security? (I > > am not paranoid, but would like it to be as hard as possible to get > > unauthorized access to my computer) > > Ipchains works. Also, for services that you do want open, use > tcp_wrappers (man 5 hosts_access). It also helps to have access to a > portscanner on a non-local host. Run something like nmap against your > machine and see what shows up. This is what a potential cracker will > see when they are watching your machine. > > noah > >
