[ILUG] sshd
r.harron at ntlworld.com
r.harron at ntlworld.com
Thu Nov 23 15:20:26 GMT 2006
Good comments already mentioned but I can't believe noone has mentioned
key based authentication for the 1 user who requires sshd access, that
will mitigate the problem of people stealing passwords :-)
You can also limit the connection to only allow from 1 ip address, and
disable root ssh access if not already done so.
sno
Keith Hyland wrote:
> a web-facing box (on a DMZ) i'm responsible for has recently shown
> increased traffic: lighting up my adsl router.
>
> the volumes are not large, but rather constant and its seems to be
> evenly split incomming/outgoing. It appears to be on port 22, which,
> along with port 80, are the only two ports forwarded from the firewall.
>
> I believe its on port 22 as when i close that port on the f/w the
> activity stops.
>
> I have to allow ssh access to *one* remote user to admin the website.
>
> I've checked with the remote user and her activity pattern/timing
> doesn't fit the traffic i'm seeing.
>
> the distro is suse 9.3, patched monthly.
>
> With this in mind i had a look around the box, and found something i
> think is odd:
>
> all the files in /etc/pam.d are dated back to 2005 except for
> /etc/pam.d/sshd
>
>> #%PAM-1.0
>> auth include common-auth
>> auth required pam_nologin.so
>> account include common-account
>> password include common-password
>> session include common-session
>> # Enable the following line to get resmgr support for
>> # ssh sessions (see /usr/share/doc/packages/resmgr/README.SuSE)
>> #session optional pam_resmgr.so fake_ttyname
>
> which is dated Nov. 10 2006
>
> I haven't been near that box since October.
>
> Is this likely to be caused by the regular automated online updates or
> has someone been sneaking around in here?
>
> I really don't want to tear it all down and start again
>
>
More information about the ILUG
mailing list