a web-facing box (on a DMZ) i'm responsible for has recently shown
increased traffic: lighting up my adsl router.
the volumes are not large, but rather constant and its seems to be
evenly split incomming/outgoing. It appears to be on port 22, which,
along with port 80, are the only two ports forwarded from the firewall.
I believe its on port 22 as when i close that port on the f/w the
activity stops.
I have to allow ssh access to *one* remote user to admin the website.
I've checked with the remote user and her activity pattern/timing
doesn't fit the traffic i'm seeing.
the distro is suse 9.3, patched monthly.
With this in mind i had a look around the box, and found something i
think is odd:
all the files in /etc/pam.d are dated back to 2005 except for
/etc/pam.d/sshd
> #%PAM-1.0
> auth include common-auth
> auth required pam_nologin.so
> account include common-account
> password include common-password
> session include common-session
> # Enable the following line to get resmgr support for
> # ssh sessions (see /usr/share/doc/packages/resmgr/README.SuSE)
> #session optional pam_resmgr.so fake_ttyname
which is dated Nov. 10 2006
I haven't been near that box since October.
Is this likely to be caused by the regular automated online updates or
has someone been sneaking around in here?
I really don't want to tear it all down and start again
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
