[ubuntu-uk] Preventing a hack attempt
Paul Morgan-Roach
roachy at roachy.net
Sat Aug 28 09:01:22 BST 2010
> On Sat, 2010-08-28 at 01:22 +0100, Daniel Case wrote:
> > Hi there,
> >
> > One of my servers has recently been attacked, it has one remote SSH
> > user which cannot run 'sudo', i made it like that so that if it was
> > comprimized, no-one would be able to do much.
> >
> > However, someone managed to gain the password to that account on the
> > server then used "vi /etc/passwd" to gain a list of users, then
> > launched a bruteforce using su against my admin account.
> > (that's what I can gather from the logs)
> >
> > This did not get very far before I saw and kicked the user off and
> > changed all of the passwords, but I would like to know how to prevent
> > this sort of thing happening again.
> >
> > I need to know mainly how to stop the SSH user running su in the first
> > place and how to stop the user seeing files like /etc/passwd
> >
> > Anyone have any suggestions?
>
> Denyhosts is quite useful in stopping brute force attacks. After so many
> failed attempts it just blocks the attacking IP.
>
> -Matt Daubney
<snip>
Also consider using fail2ban. You could also configure your server to not permit root logins in the /etc/ssh/sshd_config
Also start using key based authentication and do not permit password based logins (if this is possible for your situation!)
Hope this helps.
P
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ubuntu.com/archives/ubuntu-uk/attachments/20100828/6d4e1c9d/attachment.htm
More information about the ubuntu-uk
mailing list