[ubuntu-uk] Preventing a hack attempt
glen.mehn at oba.co.uk
Sat Aug 28 13:45:46 BST 2010
You can't hide /etc/passwd because that's how the system translates
userids into usernames (and thus how the system understands whether a
user has access to a specific file or not)
What you might consider is using non-password authenticated SSH
sessions-- you can do this in /etc/sshd/sshd_config (turn
passwordAuthentication off) and put public keys in
This isn't 100% secure, but it's often good for end-users who require
shell access but perhaps can't be trusted to not use good passwords.
Also, the password can't be given out. It may require a bit of fuddling
on your end to make sure they're set up (you may need putty and pagent,
for instance, if it's a windows client). They keys are still steal-able,
but if you put a passphrase on the key it's a bit cleaner.
Of course, if the attacker has physical access to the compromised
machine (or a keystroke logger or something) then you're perhaps a bit
On the upside, it's important to recognise that what you have *is
working*-- you detected the attack before it became a problem.
I would echo Sean's advice about using nonstandard ports as well. Makes
it a bit trickier to find & deal with, though not 100% sure. What you
want to do is layer loads of 99% solutions up until you get a reasnable
You might also consider using a chroot() environment for your user if
that'll work for you.
On 28/08/10 01:22, Daniel Case wrote:
> Hi there,
> One of my servers has recently been attacked, it has one remote SSH
> user which cannot run 'sudo', i made it like that so that if it was
> comprimized, no-one would be able to do much.
> However, someone managed to gain the password to that account on the
> server then used "vi /etc/passwd" to gain a list of users, then
> launched a bruteforce using su against my admin account.
> (that's what I can gather from the logs)
> This did not get very far before I saw and kicked the user off and
> changed all of the passwords, but I would like to know how to prevent
> this sort of thing happening again.
> I need to know mainly how to stop the SSH user running su in the first
> place and how to stop the user seeing files like /etc/passwd
> Anyone have any suggestions?
glen.mehn at oba.co.uk
skype: glenmehn | blog: http://glen.mehn.net/mba
UK: +44(0)7942 675 755 | US: +1 415 704 4737
More information about the ubuntu-uk