Ubuntu at BruneWorld.com
Tue Jan 13 03:03:07 UTC 2009
> Today I was sitting next to my computer and I could hear the HD going
> on and on, like I was doing a torrent or something. I was not doing
> anything, so I looked to see what was running in the background.
> Nothing like that was. Then I looked at my firewall and saw one
> connection that was uploading to my computer with ssh. At this point
> firestarted crashed so I could not copy down the senders address but
> it was odd and ended in www.?????????????.NL
> I have about 4 people that can use SSH with my computer and the whole
> system is set for using only gpg type passwords. So my questions are;
> How can I find out what was uploaded? How could I have been hacked?
> And, how can I stop it from happing again? For now the ssh port is
> closed. This is not a problem because it is only used about one time a
> Douglas E Knapp
> Amazon Gift Cards; let them choose!!
Here are some things I do to make sshd more secure.
1. I have sshd listen to a port other than port 22 by adding a line I
like this to /etc/sshd_config:
Note that I leave the "port 22" line in sshd_config. Yes, this
means that sshd is listening to
I configure my router to direct port 2222 to my server. Since both
port 22 and port 2222 are
being listened to, the machines within my network that are
configured to simply use port
22 work without modification.
2. I don't allow root to log in via ssh. This is accomplished by
changing the value of
"PermitRootLogin" to "no" as follows:
3. I only allow a few hard-to-guess users to log in via ssh. I do this
by adding a line like this
AllowUsers xg17, ffd42y, jfjfkk11
Once a user, such as "xg17" logs in, they use the "su" command to
become the user they
really want to be.
There are other things you can do, of course. The main one would be to
only allow public key
authentication. (i.e., script kiddies can't just do a brute-force attack).
I hope this helps.
More information about the ubuntu-users