SSH hacked?

Charlie Brune Ubuntu at
Tue Jan 13 15:16:14 UTC 2009

On Tue, 13 Jan 2009 12:55:14 +0700, musicman <datakid at> wrote:

> On Tue, Jan 13, 2009 at 10:03 AM, Charlie Brune <Ubuntu at>

> wrote:


>> 3.  I only allow a few hard-to-guess users to log in via ssh.  I do this

>> by adding a line like this

>>     to /etc/sshd_config


>>     AllowUsers xg17, ffd42y, jfjfkk11


>>     Once a user, such as "xg17" logs in, they use the "su" command to

>> become the user they

>>     really want to be.



> Doesn't that then mean you have no idea which of the three accounts is

> problematic or from which IP someone has broken in from should

> something nefarious happen?


> is it possible to/already happening that su commands are logged?


> very interesting discussion btw


> cheers

> L.


> --

> because "The Wire" makes "Law and Order" or "CSI" look like an episode

> of "The Brady Bunch."

I should have been more clear.  :)  Each of my "hard to guess" accounts has their own individual "real" accounts that they do their work from.

For example, the person using "xg17" to log in then su's to their real account of "john".  They are the only person who knows the password for "john".

Since there's a one-to-one relationship, I can tell when something is amiss.

Also, in regards to the "should I listen on a different port than port 22" discussion ... I completely eliminated the script-kiddie type attacks on my machine by listening to a port other than 22.  Of course, this is certainly not guaranteed to be the case forever, but it's nice for now.  And, of course, you have to have users/processes that support having the port moved.  YMMV.  :)

I agree ... this is fascinating stuff.


More information about the ubuntu-users mailing list