=?ISO-8859-1?Q?Re:_G=F6ra_burken_s=E4ker=3F?=

Tue, 01 Mar 2005 01:49:28 -0800 

On Tue, 01 Mar 2005 10:22:54 +0100, timebandit <[EMAIL PROTECTED]> wrote:
> Mitt f�rsta intr�ng imorse d� :/
> N�gra bra s�tt/knep/rekommendationer att g�ra burken s�krare?
> K�r Debian testing med 2.4.29 och endast f�tal portar �ppna som,
> 22,25, 80,161, 443, 993...
> Mar  1 04:51:40 DZN sshd[23046]: Failed password for illegal user sonya from 
> 198.104.144.59 port 42522 ssh2
> Mar  1 04:51:41 DZN sshd[23050]: Illegal user tony from 198.104.144.59
> Mar  1 04:51:41 DZN sshd[23050]: error: Could not get shadow information for 
> NOUSER
> Mar  1 04:51:41 DZN sshd[23050]: Failed password for illegal user tony from 
> 198.104.144.59 port 42561 ssh2
> Mar  1 04:51:43 DZN sshd[23052]: Illegal user just from 198.104.144.59
> Mar  1 04:51:43 DZN sshd[23052]: error: Could not get shadow information for 
> NOUSER
> Mar  1 04:51:43 DZN sshd[23052]: Failed password for illegal user just from 
> 198.104.144.59 port 42604 ssh2
> Mar  1 04:51:44 DZN sshd[23054]: Illegal user justice from 198.104.144.59
> Mar  1 04:51:44 DZN sshd[23054]: error: Could not get shadow information for 
> NOUSER
> Mar  1 04:51:44 DZN sshd[23054]: Failed password for illegal user justice 
> from 198.104.144.59 port 42646 ssh2
> Mar  1 04:51:46 DZN sshd[23056]: Illegal user bank from 198.104.144.59
> Mar  1 04:51:46 DZN sshd[23056]: error: Could not get shadow information for 
> NOUSER
> Mar  1 04:51:46 DZN sshd[23056]: Failed password for illegal user bank from 
> 198.104.144.59 port 42695 ssh2
> Mar  1 04:51:47 DZN sshd[23060]: Illegal user vip from 198.104.144.59
> Mar  1 04:51:47 DZN sshd[23060]: error: Could not get shadow information for 
> NOUSER
> Mar  1 04:51:47 DZN sshd[23060]: Failed password for illegal user vip from 
> 198.104.144.59 port 42735 ssh2

Jag f�r massor med s�na h�r ocks�.

> Mar  1 06:25:04 DZN su[26029]: + ??? root:nobody
> Mar  1 06:25:04 DZN su[26029]: (pam_unix) session opened for user nobody by 
> (uid=0)
> 
> �ven en massa Failed password for root som finns i loggarna :/ Dem
> lyckades tydligen ta sig in i morse men han dra ut n�tverkskabeln innan
> dem gjorde n�n skada... dem k�rde n�tt med find men hittar inget i
> loggarna d�r det visar vad dem gjorde :/

Tja, ett bra f�rsta steg �r ju att se till att det st�r
  PermitRootLogin no
i /etc/ssh/sshd_config.

Jag g�r inte s� j�ttemycket s�krande sj�lv, men jag k�r chkrootkit och
logcheck (f�r att slippa gr�va i loggarna sj�lv)


/Martin

Till