<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta name="generator" content="Osso Notes"> <title></title></head> <body> > On Sat, 2010-08-28 at 01:22 +0100, Daniel Case wrote: > > Hi there, > > > > One of my servers has recently been attacked, it has one remote SSH > > user which cannot run 'sudo', i made it like that so that if it was > > comprimized, no-one would be able to do much. > > > > However, someone managed to gain the password to that account on the > > server then used "vi /etc/passwd" to gain a list of users, then > > launched a bruteforce using su against my admin account. > > (that's what I can gather from the logs) > > > > This did not get very far before I saw and kicked the user off and > > changed all of the passwords, but I would like to know how to prevent > > this sort of thing happening again. > > > > I need to know mainly how to stop the SSH user running su in the first > > place and how to stop the user seeing files like /etc/passwd > > > > Anyone have any suggestions? > > Denyhosts is quite useful in stopping brute force attacks. After so many > failed attempts it just blocks the attacking IP. > > -Matt Daubney <snip> Also consider using fail2ban. You could also configure your server to not permit root logins in the /etc/ssh/sshd_config Also start using key based authentication and do not permit password based logins (if this is possible for your situation!) Hope this helps. P </body> </html>