SSH hacked?
Phil Tann
phil.tann at gmail.com
Mon Jan 12 23:18:40 UTC 2009
NoOp wrote:
> For where it came from have a look in /var/log/auth.log
>
> It should show something along the lines of:
>
> Jan 12 14:06:22 <user> sshd[12412]: Accepted password for <username>
> from 192.168.4.103 port 54921 ssh2
> Jan 12 14:06:22 <user> sshd[12414]: pam_unix(sshd:session): session
> opened for user <username> by (uid=0)
> Jan 12 14:06:32 <user> sshd[12414]: pam_unix(sshd:session): session
> closed for user <username>
>
> $ cat /var/log/auth.log |grep sshd
>
> To stop it happening again, I'd recommend looking into denyhosts &
> changing your ssh port number from the default 22.
>
>
I have found from personal experience that if a "determined person"
keeps hunting they go WAY outside the rane for standard ports. So I use
port 19 for ssh on a couple of systems I maintain. Its very occasional
that I even get a hit on 19. :)
Good Luck!
Phil Tann
phil.tann at gmail.com
More information about the ubuntu-users
mailing list