[ubuntu-uk] Preventing a hack attempt

Matthew Daubney matt at daubers.co.uk
Sat Aug 28 08:05:03 BST 2010

On Sat, 2010-08-28 at 01:22 +0100, Daniel Case wrote:
> Hi there,
> One of my servers has recently been attacked, it has one remote SSH
> user which cannot run 'sudo', i made it like that so that if it was
> comprimized, no-one would be able to do much.
> However, someone managed to gain the password to that account on the
> server then used "vi /etc/passwd" to gain a list of users, then
> launched a bruteforce using su against my admin account.
> (that's what I can gather from the logs)
> This did not get very far before I saw and kicked the user off and
> changed all of the passwords, but I would like to know how to prevent
> this sort of thing happening again.
> I need to know mainly how to stop the SSH user running su in the first
> place and how to stop the user seeing files like /etc/passwd
> Anyone have any suggestions?

Denyhosts is quite useful in stopping brute force attacks. After so many
failed attempts it just blocks the attacking IP.

-Matt Daubney

More information about the ubuntu-uk mailing list