Re: Help needed - server hacked twice in three days (and I don't think I'm a newbie)
Karsten Dambekalns írta:
On Thursday 21 July 2005 20:31, Andras Got wrote:
The users, the ones the machines was hacked, were they existing users on
I don't know which user account got hacked, if this was what has happened.
It's important to know whether it's an existing account, imho.
Do you use AllowUsers or AllowGroup?
No. I hate to admit I didn't know that this is possible. Take back the newbie
statement I made earlier. But if a legitimate user account got hacked, this
wouldn't have helped, right?
Right, but if not... I suggest, You should also turn on privilege separation and strict mode in
sshd, it they are not enabled.
Do you use DSA/RSA key only auth method?
Now I do. And it will stay that way, customers have to step back.
2.6.7 is vulnerable, 2.4.18 is also... use vanilla kernels with grsec!
Now I know. Seems reading bugtraq and the Debian security announce isn't
enough. Or I started to late. Or I read too fast. :(
Grsec it's not a miracle, just stops or make them impossible to work many common exploiting shemes,
and it's very useful. I think the 2.4 kernel line is better, if you don't have to you anything 2.6