BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

break-in attempts on my server

Subject: break-in attempts on my server
From: david at thekramers.net (David Kramer)
Date: Sun, 20 Nov 2005 19:03:05 -0500
In-reply-to: <20051120230105.GA13786@localhost.localdomain>
References: <4380F587.9010702@thekramers.net> <20051120230105.GA13786@localhost.localdomain>

David Hummel wrote:
> On Sun, Nov 20, 2005 at 05:15:35PM -0500, David Kramer wrote:
>>Note that I had just done a SuseWatcher upgrade.  I don't remember
>>what it upgraded, and don't know how to find out, but based on the
>>timing, I assume that's what killed Postifx.
> 
> Perhaps pay more attention to what the upgrade tool is doing under the
> hood.  If there isn't an easy way to find out, consider using a
> different tool.  Updaters shouldn't kill running servers, they should
> ensure that the servers are restarted after the update.  It's not clear
> if that's what's happening here.

I ran the update by hand, and I looked over the list, so I *knew* what it
installed, but I no longer did.  I may try to do some script funkiness to do
rpm -qai and see packages installed today, but it's history.  It came back
up fine, and seems to be working fine.  If I get bored enough, I might
restore /etc/postfix from my last backup and compare them.

I agree it shouldn't have happened.

>>So I started combing through my /var/log/messages and found LOTS of
>>entries like:
>>
> 8>< [ log entries ]
>>Is there *anything* else I can do?
> 
> Firewall rules are a start.  I would also disable password
> authentication, and use public keys.  There's also the obvious stuff
> like disabling root logins, etc.

I hesitate to go that route because it means I can't walk up to any
internet-enabled computer and connect to my server, as often happens.

Root logins were already disabled, though I did take dsr's idea and put in
the AllowUsers line to only allow ssh logins for about 4 users that need it.
 For some reason, that variable was not in the config file template.  That
server is still running SuSE 9.0, so maybe it's a newer option.

I did change the root password to an even harder one, and rebooted to make
sure everything came back up right.

Thanks all.  I guess it's best to just ignore it, now that I tightened up
ssh a little and ensured nothing actually got through.

-- 
DDDD   David Kramer         david at thekramers.net       http://thekramers.net
DK KD
DKK D  War- the first resort of the unimaginative
DK KD
DDDD

Follow-Ups:
- break-in attempts on my server
  - From: mailings02 at ttlexceeded.com (Bob George)

References:
- break-in attempts on my server
  - From: david at thekramers.net (David Kramer)
- break-in attempts on my server
  - From: dhml at comcast.net (David Hummel)

Prev by Date: break-in attempts on my server
Next by Date: break-in attempts on my server
Previous by thread: break-in attempts on my server
Next by thread: break-in attempts on my server
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Boston Linux & Unix / webmaster@blu.org