[wellylug] Think I've had a server hacked
Ewen McNeill
wellylug at ewen.mcneill.gen.nz
Wed Oct 26 16:55:52 NZDT 2005
In message <op.sy8etnkglmkomu at laptop5>, "Jim Cheetham" writes:
>Don't bother obscuring the ssh port, but do ban password logins, and
>restrict the valid users to yourself and definately ban root logins.
You don't run servers on the Internet much do you? :-)
There are _constant_ (dozens/hundreds of attempts each day) ssh password
guessing attempts, from owned hosts around the world, every day, to
every system on the Internet with the ssh service listening on port 22.
I'd highly recommend firewalling the ssh service down to only allow
connections from trusted hosts. If nothing else it makes your logs much
more readable. If that isn't possible, then moving the ssh port to
another port (preferable not the "obvious" alternatives) can definitely
help keep you away from the current batch of automated login attempts.
Choosing good passwords, and if appropriate not allowing password logins
at all, are obvious also very useful.
FWIW, I'd also second (third?) the recommenation to rebuild the machine.
Given how old the Redhat install was (7.2 is nearly 2 years out of
official support, and about 18 months out of unofficial support), a
reinstall with a newer OS is definitely in order.
Ewen
More information about the wellylug
mailing list