In the immortal words of Glenn Sieb <[EMAIL PROTECTED]>...
> I've been getting this for weeks. They're all under APNIC, and emails
> to [EMAIL PROTECTED] involved networks has gone unanswered.

I've been getting these as well, but from a multitude of address spaces.
 Not just APNIC.

> The easiest way to protect this is to check your sshd_config and set:
> PermitRootLogin no

Agreed.  However if you 'Absolutely' require something to be done
remotely as root, make it a pub/priv key sequence and limit the command
using the keys.  ie:
change sshd_config to PermitRootLogin without-password
and set up
command="/usr/local/bin/rsync --server --daemon ." ssh-dss <snip actual
in the authorized_keys file.  This limits the abilities of the remoe
login to just running the rsync command with the specified switches. 
Anything else just doesn't work.

> Which, if you're exposed to the 'Net would be a sane practice--force 
> people to log in as themselves and su (or sudo or sudoscript) to root.

Very sane practice

> Admittedly, I am not sure about the rest of your posting. When I run 
> last, (on 4.10-STABLE) it shows logins back to the 1st of September.

It is possible that the box was compromised and the utmp/wtmp log
removed/edited/etc, and I would start looking immediately for other
traces of a possible intrusion.

Cheers & good luck


Spyderweb Consulting
Phone: +61 0401088479
[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to