[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: checking if my system is compromised



Quoting Kamaraju Kusumanchi <kamaraju@bluebottle.com>:

> Here is what I have done so far
> 1) I have looked in various log files but could not find any
> suspicious activity.
> 

Turns out that I was dictionary attacked (thanks to /var/log/auth.log) via ssh port. The intruder was able to gain access to the guest account. I created that account to reproduce a bug that I was experiencing in KDE. But forgot to delete it later. I do not yet know the extent of the damage and whether hir was able to gain root access to this system.

I also discovered that remote logins (via ssh) for root account were enabled on this system. Now, I disabled them.

Does anyone have suggestions on tightening up the default sshd_config file? I read about disabling password authentication mechanism completely and using only the key authorization mechanism. But this is too inconvenient to stick to. For example, if I go to a friend's machine, I would like to be able to ssh from it, without bothering about transferring keys back and forth. Any other suggestions are welcome.

raju



Reply to: