LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] sshd

[ILUG] sshd

Justin Mason jm at jmason.org
Thu Nov 23 14:16:27 GMT 2006 

Keith Hyland writes:
> a web-facing box (on a DMZ) i'm responsible for has recently shown 
> increased traffic:  lighting up my adsl router.
> 
> the volumes are not large, but rather constant and its seems to be 
> evenly split incomming/outgoing.  It appears to be on port 22, which, 
> along with port 80, are the only two ports forwarded from the firewall.
> 
> I believe its on port 22 as when i close that port on the f/w the 
> activity stops.
> 
> I have to allow ssh access to *one* remote user to admin the website.
> 
> I've checked with the remote user and her activity pattern/timing 
> doesn't fit the traffic i'm seeing.
> 
> the distro  is suse 9.3, patched monthly.
> 
> With this in mind i had a look around the box, and found something i 
> think is odd:
> 
> all the files in /etc/pam.d are dated back to 2005   except for 
> /etc/pam.d/sshd
> 
> > #%PAM-1.0
> > auth     include        common-auth
> > auth     required       pam_nologin.so
> > account  include        common-account
> > password include        common-password
> > session  include        common-session

so far so good.

> > # Enable the following line to get resmgr support for
> > # ssh sessions (see /usr/share/doc/packages/resmgr/README.SuSE)
> > #session  optional      pam_resmgr.so fake_ttyname

No sign of this one on my Ubuntu edgy box or our debian server...
could be a SuSEism though.  going by google, it seems ok.

You may want to edit /etc/ssh/sshd_config and turn off password
logins (require keys), and add an "AllowUsers" line for that
one user you want to permit.  See "man sshd_config".

--j.

> which is dated Nov. 10 2006
> 
> I haven't been near that box since October.
> 
> Is this likely to be caused by the regular automated online updates or 
> has someone been sneaking around in here?
> 
> I really don't want to tear it all down and start again
> 
> 
> -- 
> Irish Linux Users' Group mailing list
> About this list : http://mail.linux.ie/mailman/listinfo/ilug
> Who we are : http://www.linux.ie/
> Where we are : http://www.linux.ie/map/

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell