Re: newbie question: if sshd reports a few hundred invalid attempted logins, is that a hacker?


Moe Trin wrote:
On 24 Jun 2006, in the Usenet newsgroup comp.unix.questions, in article
<1151194918.615104.129530@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>, Jake Barnes wrote:

I'm a total beginner with Linux. I've been playing around with it for a
few weeks, learning some things. While logged in as root,

Try to avoid being logged in as root. You can always use 'su -' to become
root for the few things where you must be root. Ignoring the potential
security hazard, *nix believes that root knows what root is doing, and
the system will do exactly what you tell it to do - which may very well
NOT be exactly what you planned or hoped for.

Thanks much. For now, I'm logged in as root a lot because I'm trying to
customize my machine. Customizing seems like a good way to learn the
machine. Back in the 1990s, I learned the Mac OS and then Windows in
part by customizing the machine.

I don't yet have valuable information on this machine, so there isn't
much that can go wrong if I destroy it or if it gets hacked.



Your distribution should have configured your Mail Transfer Agent (you
don't identify the distribution - could be sendmail, postfix, exim, or
even qmail) to forward mail to root to a specific user. For sendmail,
this is set in /etc/aliases

My distribution in Red Hat EL 3. When I run "ps -A" I see an instance
of sendmail.



2. Do you really need your port 22 open to the entire world? or can you
narrow it down a lot.

3. Consider "Security By Obscurity" and move your SSH daemon to a less
obvious port - some random number like

[compton ~]$ ls -lrt | tail -4 | head -1 | awk '{print $5}'
2273
[compton ~]$

I can't figure out what the above means, especially the bit with awk.



4. Run the command 'netstat -tuan' and see what is actually open on your
system. As a newbie, you _REALLY_ don't want everything flapping in the
breeze. There are a number of HOWTOs that should have been installed on
your system - probably in /usr/share/HOWTO/ that can help buttoning down
your system.

I ran netstat -tuan:

[root@localhost mnt 15:43:08]# netstat -tuan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address
State
tcp 0 0 0.0.0.0:32768 0.0.0.0:*
LISTEN
tcp 0 0 127.0.0.1:32769 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:515 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:37 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:199 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:139 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:13 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:6000 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:21 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:*
LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:*
LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:445 0.0.0.0:*
LISTEN
tcp 0 0 127.0.0.1:631 127.0.0.1:32770
ESTABLISHED
tcp 0 0 192.168.1.2:32978 64.233.167.99:80
ESTABLISHED
tcp 0 0 192.168.1.2:32979 64.233.167.99:80
ESTABLISHED
tcp 0 0 192.168.1.2:32912 65.17.201.138:80
TIME_WAIT
tcp 0 0 192.168.1.2:32994 68.142.213.135:80
TIME_WAIT
tcp 0 0 192.168.1.2:32993 68.142.213.135:80
TIME_WAIT
tcp 0 0 192.168.1.2:32990 68.142.213.135:80
TIME_WAIT
tcp 0 0 192.168.1.2:32989 68.142.213.135:80
TIME_WAIT
tcp 0 0 192.168.1.2:32909 209.18.34.39:80
TIME_WAIT
tcp 0 0 192.168.1.2:32972 209.18.34.38:80
ESTABLISHED
tcp 0 0 192.168.1.2:32973 209.18.34.38:80
ESTABLISHED
tcp 0 0 127.0.0.1:32770 127.0.0.1:631
ESTABLISHED
udp 0 0 0.0.0.0:32768 0.0.0.0:*
udp 0 0 192.168.1.2:137 0.0.0.0:*
udp 0 0 0.0.0.0:137 0.0.0.0:*
udp 0 0 192.168.1.2:138 0.0.0.0:*
udp 0 0 0.0.0.0:138 0.0.0.0:*
udp 0 0 0.0.0.0:161 0.0.0.0:*
udp 0 0 0.0.0.0:814 0.0.0.0:*
udp 0 0 0.0.0.0:68 0.0.0.0:*
udp 0 0 0.0.0.0:111 0.0.0.0:*
udp 0 0 0.0.0.0:631 0.0.0.0:*
udp 0 0 192.168.1.2:123 0.0.0.0:*
udp 0 0 127.0.0.1:123 0.0.0.0:*
udp 0 0 0.0.0.0:123 0.0.0.0:*



5. Point your browser at the newsgroup comp.os.linux.security for a lot
more assistance. This happens all the time. Do understand that it would be
very helpful if you identified which of the 350+ Linux distributions you
are using. Also see that your system is up-to-date. Most popular
distributions today come with automated tools to help keep the systems
current.

Thanks for all the help. Apparently Red Hat Enterprise 3 does not come
with yum installed. I tried to get it installed, but I ran into
"dependency hell". It needed other packages that I did not have. It got
complicated and I got frustrated. Do you know of a place where I could
get it and all of its dependencies?

.