Re: checking if my system is compromised
Quoting Kamaraju Kusumanchi <firstname.lastname@example.org>:
> Here is what I have done so far
> 1) I have looked in various log files but could not find any
> suspicious activity.
Turns out that I was dictionary attacked (thanks to /var/log/auth.log) via ssh port. The intruder was able to gain access to the guest account. I created that account to reproduce a bug that I was experiencing in KDE. But forgot to delete it later. I do not yet know the extent of the damage and whether hir was able to gain root access to this system.
I also discovered that remote logins (via ssh) for root account were enabled on this system. Now, I disabled them.
Does anyone have suggestions on tightening up the default sshd_config file? I read about disabling password authentication mechanism completely and using only the key authorization mechanism. But this is too inconvenient to stick to. For example, if I go to a friend's machine, I would like to be able to ssh from it, without bothering about transferring keys back and forth. Any other suggestions are welcome.