In the immortal words of Glenn Sieb <[EMAIL PROTECTED]>...
> I've been getting this for weeks. They're all under APNIC, and emails
> to [EMAIL PROTECTED] involved networks has gone unanswered.
I've been getting these as well, but from a multitude of address spaces.
Not just APNIC.
> The easiest way to protect this is to check your sshd_config and set:
> PermitRootLogin no
Agreed. However if you 'Absolutely' require something to be done
remotely as root, make it a pub/priv key sequence and limit the command
using the keys. ie:
change sshd_config to PermitRootLogin without-password
and set up
command="/usr/local/bin/rsync --server --daemon ." ssh-dss <snip actual
in the authorized_keys file. This limits the abilities of the remoe
login to just running the rsync command with the specified switches.
Anything else just doesn't work.
> Which, if you're exposed to the 'Net would be a sane practice--force
> people to log in as themselves and su (or sudo or sudoscript) to root.
Very sane practice
> Admittedly, I am not sure about the rest of your posting. When I run
> last, (on 4.10-STABLE) it shows logins back to the 1st of September.
It is possible that the box was compromised and the utmp/wtmp log
removed/edited/etc, and I would start looking immediately for other
traces of a possible intrusion.
Cheers & good luck
Tim Aslat <[EMAIL PROTECTED]>
Phone: +61 0401088479
[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"