[ILUG] sshd

Justin Mason jm at jmason.org
Thu Nov 23 14:16:27 GMT 2006 

Keith Hyland writes:
> a web-facing box (on a DMZ) i'm responsible for has recently shown 
> increased traffic:  lighting up my adsl router.
> 
> the volumes are not large, but rather constant and its seems to be 
> evenly split incomming/outgoing.  It appears to be on port 22, which, 
> along with port 80, are the only two ports forwarded from the firewall.
> 
> I believe its on port 22 as when i close that port on the f/w the 
> activity stops.
> 
> I have to allow ssh access to *one* remote user to admin the website.
> 
> I've checked with the remote user and her activity pattern/timing 
> doesn't fit the traffic i'm seeing.
> 
> the distro  is suse 9.3, patched monthly.
> 
> With this in mind i had a look around the box, and found something i 
> think is odd:
> 
> all the files in /etc/pam.d are dated back to 2005   except for 
> /etc/pam.d/sshd
> 
> > #%PAM-1.0
> > auth     include        common-auth
> > auth     required       pam_nologin.so
> > account  include        common-account
> > password include        common-password
> > session  include        common-session

so far so good.

> > # Enable the following line to get resmgr support for
> > # ssh sessions (see /usr/share/doc/packages/resmgr/README.SuSE)
> > #session  optional      pam_resmgr.so fake_ttyname

No sign of this one on my Ubuntu edgy box or our debian server...
could be a SuSEism though.  going by google, it seems ok.

You may want to edit /etc/ssh/sshd_config and turn off password
logins (require keys), and add an "AllowUsers" line for that
one user you want to permit.  See "man sshd_config".

--j.

> which is dated Nov. 10 2006
> 
> I haven't been near that box since October.
> 
> Is this likely to be caused by the regular automated online updates or 
> has someone been sneaking around in here?
> 
> I really don't want to tear it all down and start again
> 
> 
> -- 
> Irish Linux Users' Group mailing list
> About this list : http://mail.linux.ie/mailman/listinfo/ilug
> Who we are : http://www.linux.ie/
> Where we are : http://www.linux.ie/map/

More information about the ILUG mailing list