SSH hacked?

Charlie Brune Ubuntu at
Tue Jan 13 03:03:07 UTC 2009

Knapp wrote:
> Today I was sitting next to my computer and I could hear the HD going 
> on and on, like I was doing a torrent or something. I was not doing 
> anything, so I looked to see what was running in the background. 
> Nothing like that was. Then I looked at my firewall and saw one 
> connection that was uploading to my computer with ssh. At this point 
> firestarted crashed so I could not copy down the senders address but 
> it was odd and ended in www.?????????????.NL
> I have about 4 people that can use SSH with my computer and the whole 
> system is set for using only gpg type passwords. So my questions are; 
> How can I find out what was uploaded? How could I have been hacked? 
> And, how can I stop it from happing again? For now the ssh port is 
> closed. This is not a problem because it is only used about one time a 
> quarter.
> Thanks!
> -- 
> Douglas E Knapp
> Amazon Gift Cards; let them choose!!
> <>
Here are some things I do to make sshd more secure.

1.  I have sshd listen to a port other than port 22 by adding a line I 
like this to /etc/sshd_config:

           port 2222

     Note that I leave the "port 22" line in sshd_config.  Yes, this 
means that sshd is listening to
     two ports.

     I configure my router to direct port 2222 to my server.  Since both 
port 22 and port 2222 are
     being listened to, the machines within my network that are 
configured to simply use port
     22 work without modification.

2.  I don't allow root to log in via ssh.  This is accomplished by 
changing the value of
     "PermitRootLogin" to "no" as follows:

     PermitRootLogin no

3.  I only allow a few hard-to-guess users to log in via ssh.  I do this 
by adding a line like this
     to /etc/sshd_config

     AllowUsers xg17, ffd42y, jfjfkk11

     Once a user, such as "xg17" logs in, they use the "su" command to 
become the user they
     really want to be.

There are other things you can do, of course.  The main one would be to 
only allow public key
authentication.  (i.e., script kiddies can't just do a brute-force attack).

I hope this helps.


More information about the ubuntu-users mailing list