I port translate SSH and direct forward to a single box which I can use to get to the rest of my network. I only allow access from my home network and my company network. I can VPN into my company if I need to get home while on the road. I do like password authentication because I often have to call some one (like my wife or my most trusted co worker) and walk them through a connection when I need information and do not have network access. It is easy to change a password, it is harder to fedex a thumb drive from the middle of the outback. On my windows boxes I eliminate brute force attacks by having it lock out any account for 2 seconds after a wrong password and 15 minuets after 10 wrong passwords. But I don't know how to configure this on Linux? ________________________________ From: plug-discuss-bounces@lists.plug.phoenix.az.us [mailto:plug-discuss-bounces@lists.plug.phoenix.az.us] On Behalf Of Jon M. Hanson Sent: Thursday, February 22, 2007 9:43 PM To: Main PLUG discussion list Subject: Re: Got hacked? Darrin Chandler wrote: On Thu, Feb 22, 2007 at 09:15:27PM -0700, Jim wrote: Last night I came home from work and sat down at the computer. I noticed the lights on the DSL router were blinking very rapidly. I have an ftp server running on my linux box (Slackware 10.2). So I thought someone might have been uploading something. Ftpwho showed no users logged in. I checked the incoming directory and saw nothing there. Tcpdump showed me that they were sending something using ssh. I used find to look for anything they might have been uploading, but found nothing. /var/log/syslog contained the following over and over for about 4 hours before I got home Feb 22 20:43:56 ladmo smbd[6375]: [2007/02/22 20:43:56, 0] printing/print_cups.c:cups_cache_reload(85) Feb 22 20:43:56 ladmo smbd[6375]: Unable to connect to CUPS server localhost - Connection refused Then I found in /var/log/syslog this over and over Feb 21 22:11:14 ladmo sshd[26255]: error: Could not get shadow information for NOUSER I stopped sshd and edited /etc/sshd_config by adding the following: AllowUsers root jim AllowGroups root To test the change, I tried to log into the server via ssh and using another account. It wouldn't let me log in using that other account via ssh. I also tried find / -mmin 1200 -size +100k and without the size option, but found nothing from the time this was going on. After all this I tried to send an email, but sendmail wasn't working. I backed up my sendmail config files, uninstalled sendmail, reinstalled it and restored the config files. Sendmail worked after that. Is there anything else I should do? Look for root kits. Reinstall? Stop all services that you don't actively use. For the remainder, consider restricting them to your local network (CUPS, etc). If you have a home network, consider plugging your DSL modem directly into one PC and using that as a firewall machine. Yes, you can also use it as a desktop if you need. Is there a compelling reason you need password authentication for ssh? It's very easy to generate public keys and use those. You can even keep one on a thumb drive to use if you have to. Then turn OFF password authentication (PasswordAuthentication no) in your sshd_config. I'm guessing they got in through some kind of guest account you have setup (but maybe didn't know about) or another common account name with a weak password. I constantly watch my system logs and several times a week I'll get a ton of attempts to try to brute force passwords to various accounts through SSH. -- Jon M. Hanson (N7ZVJ) Homepage: http://the-hansons-az.net Weblog: http://the-hansons-az.net/wordpress Jabber IM: jon@the-hansons-az.net