SSH hacked?
NoOp
glgxg at sbcglobal.net
Mon Jan 12 23:39:22 UTC 2009
On 01/12/2009 03:18 PM, Phil Tann wrote:
> NoOp wrote:
>> For where it came from have a look in /var/log/auth.log
>>
>> It should show something along the lines of:
>>
>> Jan 12 14:06:22 <user> sshd[12412]: Accepted password for <username>
>> from 192.168.4.103 port 54921 ssh2
>> Jan 12 14:06:22 <user> sshd[12414]: pam_unix(sshd:session): session
>> opened for user <username> by (uid=0)
>> Jan 12 14:06:32 <user> sshd[12414]: pam_unix(sshd:session): session
>> closed for user <username>
>>
>> $ cat /var/log/auth.log |grep sshd
>>
>> To stop it happening again, I'd recommend looking into denyhosts &
>> changing your ssh port number from the default 22.
>>
>>
> I have found from personal experience that if a "determined person"
> keeps hunting they go WAY outside the rane for standard ports. So I use
> port 19 for ssh on a couple of systems I maintain. Its very occasional
> that I even get a hit on 19. :)
>
> Good Luck!
>
> Phil Tann
> phil.tann at gmail.com
>
>
The only problem that I see with that is 19 is in the well known ports
range (1-1023), is used by CHARGEN in linux/unix, and does get hit as well:
<http://isc.sans.org/port.html?port=19&repax=1&tarax=2&srcax=2&percent=N&days=70>
as it was/is used to attack MS:
http://support.microsoft.com/kb/169461
[Access Violation in Dns.exe Caused by Malicious Telnet Attack]
http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
http://en.wikipedia.org/wiki/CHARGEN
Were I you, I'd select a different port that is not commonly used.
More information about the ubuntu-users
mailing list