Linux Security References

**nokiaxv2** · August 12th, 2004, 3:01 AM

Found this while browsing LinuxQuestions.org's forum:

Quote:

SSH login attempts ( post #1)

There appears to be some form of automated malware circulating around the internet in the last 2 weeks. It attempts sshd logins using simple username-password combinations. A sample scan looks like:

Jul 19 21:04:33 server sshd[28379]: Illegal user test from XXX.XXX.XXX.XXX
Jul 19 21:04:34 server sshd [28381]: Illegal user guest from XXX.XXX.XXX.XXX
Jul 19 21:04:36 server sshd[28383]: Illegal user admin from XXX.XXX.XXX.XXX
Jul 19 21:04:37 server sshd[28385]: Illegal user admin from XXX.XXX.XXX.XXX
Jul 19 21:04:38 server sshd[28387]: Illegal user user from XXX.XXX.XXX.XXX

Several reports indicate that the malicious code is a scanner designed to identify systems with weak username/passwords. Once a weak system is identified, its IP address is appended to a list for manually exploitation later on. However, the possibility of an unknown exploit has not been ruled-out.

All Linux users are recommended to implement a sensible username and password policy in order to avoid being compromised by this tool. An example of a sensible policy would be at least the use of non-dictionary, alpha-numeric+punctuation characters. Restricting sshd access to only those systems necessary will further reduce the possibility of compromise. Access restriction can be done using iptables or tcp_wrappers (hosts.allow/deny)

Further information about this tool and failed sshd logins can be found here:
http://lists.netsys.com/pipermail/f...uly/024612.html
http://dev.gentoo.org/~krispykringle/sshnotes.txt
http://isc.sans.org/diary.php?date=2004-08-04

I definitely believe if you're running your own dedicated server, you should subscribe to some sort of newsletter or newsgroup concerning Linux Security Administration. I, unfortunately, am guilty of having NOT subscribed to one, but I'll change that in the near future. When I find some good groups or lists, I’ll post them up for everyone to check out.

Interesting Linux Security Oriented Links
LinuxQuestions.org -- http://www.linuxquestions.org/questi...threadid=45261
Distributed Intrusion Detection System -- http://www.dshield.org/
Denial of Service Attacks -- http://www.cert.org/tech_tips/denial_of_service.html
Basics, important sites, HOWTO's, handbooks, hardening, tips

**Travis** · August 13th, 2004, 2:29 AM

Now some ways to protect your server against this

1. Add your main NON user account to the wheel group (Make sure they have a ssh account)
2. Locate your sshd config file (normaly /etc/ssh/sshd_config)
3. Edit your sshd file ("# pico /etc/ssh/sshd_config")
4. Uncomment out the protocol and delete the ,1
5. At the bottom add:
PermitRootLogin no
AllowUsers user1 user2 user3
6. To login to root you now must "# ssh theuseryouaddedtothewheelgroup[at]youripaddress"
Once logged into that account you "# su root" and enter your password and your now logged into root!

Note #1: Now when getting support from surpass you must tell them to login to your wheel group user and switch to root.

Note #2: If you feel uncomfortable doing this yourself get Surpass to do it for you.

Massive props to nokiaxv2 for this!

A link of intrest for your sshd config:
http://www.openbsd.org/cgi-bin/man.c...penBSD+Current

**Ancyru** · August 13th, 2004, 3:35 AM

Didn't this happen to you before unleashed? Or was that cPanel.

**Travis** · August 13th, 2004, 4:17 AM

Yep..... Should i be woried?

**Travis** · August 20th, 2004, 3:17 PM

Heres a good link of the day
http://security.linux.com/article.pl...1546229&tid=90
http://security.linux.com/article.pl...4&tid=2&tid=74

**Travis** · August 20th, 2004, 3:53 PM

Linux Administrator's Security Guide
Linux Administration Made Easy

**Unleashed2k** · August 26th, 2004, 7:09 PM

linuxsecurity.org

**cdrake** · July 16th, 2005, 11:50 AM

Also. Be sure to make your /tmp directory nosuid,noexec

**Emmanuel** · August 17th, 2005, 5:47 AM

cdrake, how is the server working out good?

August 13th, 2004, 2:29 AM	#2 (permalink)
Travis ubuntu Fan Super #1 Joined in Nov 2003 Lives in Calgary Alberta Canada 2,724 posts Gave thanks: 0 Thanked 0 times	Now some ways to protect your server against this 1. Add your main NON user account to the wheel group (Make sure they have a ssh account) 2. Locate your sshd config file (normaly /etc/ssh/sshd_config) 3. Edit your sshd file ("# pico /etc/ssh/sshd_config") 4. Uncomment out the protocol and delete the ,1 5. At the bottom add: PermitRootLogin no AllowUsers user1 user2 user3 6. To login to root you now must "# ssh theuseryouaddedtothewheelgroup[at]youripaddress" Once logged into that account you "# su root" and enter your password and your now logged into root! Note #1: Now when getting support from surpass you must tell them to login to your wheel group user and switch to root. Note #2: If you feel uncomfortable doing this yourself get Surpass to do it for you. Massive props to nokiaxv2 for this! A link of intrest for your sshd config: http://www.openbsd.org/cgi-bin/man.c...penBSD+Current __________________ "A lot of people are waiting for Martin Luther King or Mahatma Gandhi to come back -- but they are gone. We are it. It is up to us. It is up to you." — Marian Wright Edelman

August 13th, 2004, 3:35 AM	#3 (permalink)
Ancyru Fan of Surpass Super #1 Joined in May 2004 Lives in .au Hosted on Pipe 2,392 posts Gave thanks: 1 Thanked 3 times	Didn't this happen to you before unleashed? Or was that cPanel. __________________ When I get sad, I stop being sad, and be AWESOME instead. True story.

August 13th, 2004, 4:17 AM	#4 (permalink)
Travis ubuntu Fan Super #1 Joined in Nov 2003 Lives in Calgary Alberta Canada 2,724 posts Gave thanks: 0 Thanked 0 times	Yep..... Should i be woried? __________________ "A lot of people are waiting for Martin Luther King or Mahatma Gandhi to come back -- but they are gone. We are it. It is up to us. It is up to you." — Marian Wright Edelman

August 20th, 2004, 3:17 PM	#5 (permalink)
Travis ubuntu Fan Super #1 Joined in Nov 2003 Lives in Calgary Alberta Canada 2,724 posts Gave thanks: 0 Thanked 0 times	Heres a good link of the day http://security.linux.com/article.pl...1546229&tid=90 http://security.linux.com/article.pl...4&tid=2&tid=74 __________________ "A lot of people are waiting for Martin Luther King or Mahatma Gandhi to come back -- but they are gone. We are it. It is up to us. It is up to you." — Marian Wright Edelman

August 20th, 2004, 3:53 PM	#6 (permalink)
Travis ubuntu Fan Super #1 Joined in Nov 2003 Lives in Calgary Alberta Canada 2,724 posts Gave thanks: 0 Thanked 0 times	Linux Administrator's Security Guide Linux Administration Made Easy __________________ "A lot of people are waiting for Martin Luther King or Mahatma Gandhi to come back -- but they are gone. We are it. It is up to us. It is up to you." — Marian Wright Edelman

August 26th, 2004, 7:09 PM	#7 (permalink)
Unleashed2k I admire kayla On a golden path... Joined in Aug 2003 Lives in Saint Petersburg, Florida Hosted on VPS5 478 posts Gave thanks: 1 Thanked 1 Time in 1 Post	linuxsecurity.org

July 16th, 2005, 11:50 AM	#8 (permalink)
cdrake Surpass Fan Comfy Contributor Joined in Jan 2004 Lives in drakeshangout.com/forum Hosted on PASS3 187 posts Gave thanks: 0 Thanked 0 times	Also. Be sure to make your /tmp directory nosuid,noexec __________________ Drakeshangout.com--When you have nothing better to do! Join the Drakeshangout Forum

August 17th, 2005, 5:47 AM	#9 (permalink)
Emmanuel CTO, Surpass Hosting Super #1 Joined in Apr 2003 Lives in Florida 1,773 posts Gave thanks: 9 Thanked 67 times	cdrake, how is the server working out good? __________________ Emmanuel :: Surpass Hosting Network Admin http://www.SurpassHosting.com

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search