[Leaplist] Server break-in attempt through NAGIOS user
John Kramer
jakramer at ascenditsolutions.com
Thu Sep 6 19:47:56 EDT 2007
Three quick points:
1) I use the sshd_config "AllowUsers" option to define which users can log
in via ssh. None of the "common/typical" users are in this list. I'll log in
as on a non-common account and then su to the standard account if needed.
2) I use the sshd_config "Port" option to something other than port 22.
This significantly reduced the number of ssh script attacks that I was
seeing. Obviously someone can still find the port if their interested, but
let's not make it too easy.
3) Finally, I use the hosts.allow "sshd" option to specify what IP addresses
can connect via ssh.
A longer point: I'm in the initial phase of a first time setup of nagios so
am still sorting through its configuration. The rpm install sets up the
nagios user account with a nologin shell - good to prevent breakins as
posted. However, I do see an error message when I start nagios but otherwise
it seems to run somewhat ok other than crashing after running a number of
days. Any pointers/suggestions/thoughts about the rpm is appreciated.
_____
From: leaplist-bounces at leap-cf.org [mailto:leaplist-bounces at leap-cf.org] On
Behalf Of David Simmons
Sent: Thursday, September 06, 2007 6:29 PM
To: leaplist at leap-cf.org
Subject: Re: [Leaplist] Server break-in attempt through NAGIOS user
> Logging in via what program? SSH? Web interface?
ssh.....I logged into the server....did a 'user' and saw that nagios was
logged in..when I did a ps aux, the nagios user had about 50 sshd sessions
running!
I looked briefly through the files - and it was
basically doing port scans/login attempts to other machines.....still
researching what it's 'ultimate' goal was?!
- Dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.leap-cf.org/pipermail/leaplist/attachments/20070906/0c9a0648/attachment-0001.html
More information about the Leaplist
mailing list