[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Help needed - server hacked twice in three days (and I don't think I'm a newbie)


Karsten Dambekalns írta:


On Thursday 21 July 2005 20:31, Andras Got wrote:

The users, the ones the machines was hacked, were they existing users on
the machine?

I don't know which user account got hacked, if this was what has happened.

It's important to know whether it's an existing account, imho.

Do you use AllowUsers or AllowGroup?

No. I hate to admit I didn't know that this is possible. Take back the newbie statement I made earlier. But if a legitimate user account got hacked, this wouldn't have helped, right?

Right, but if not... I suggest, You should also turn on privilege separation and strict mode in sshd, it they are not enabled.

Do you use DSA/RSA key only auth method?

Now I do. And it will stay that way, customers have to step back.

2.6.7 is vulnerable, 2.4.18 is also... use vanilla kernels with grsec!

Now I know. Seems reading bugtraq and the Debian security announce isn't enough. Or I started to late. Or I read too fast. :(

Grsec it's not a miracle, just stops or make them impossible to work many common exploiting shemes, and it's very useful. I think the 2.4 kernel line is better, if you don't have to you anything 2.6 specific.


Reply to: