07-16-2008, 10:43 AM
|
 Re: intrusion?
"Johannes Beekhuizen" writes:
>Hallo,
>Op woensdag 16 juli 2008 schreef gtu2003@alice.it aan All:
> gt> In my /var/log/messages I have a lot (6000+) of:
> gt> Jul 16 12:51:20 sole sshd[6669]: Invalid user clamav from
> gt> what is it? I need to write to something like abuse@72.3.243.92
> gt> ?
>Obviously somebody is trying to force an ssh login on your machine, no
>doubt with the purpose to de something nasty.
>Disconnect your system from the internet immediately, at once and now
>until you are ready!
And "ready" means what? How should he be "ready"? He cannot prevent such
sshd attacks. They are common.
>I doubt if writing to abuse@72.3.243.92 will have any effect. Most
>likely he is the same as the culprit.
>Check your log files to see if anybody get in already.
>Run a rootkit checker to see if any harm was doen. If there was any,
>best format that partition and do a fresh install. Don't use your
>backups, becasue you don't know if they have been infected.
>Switch off you sshd server if you don't really need it.
>In the /etc/hosts.deny put a line like
>ALL: ALL
>to stop access to all services for everybody.
>Put a line in /etc/hosts.allow like
>ALL: 192.168.178.0/255.255.255.0, 127.0.0.0/255.0.0.0
>to allow for addresses on your local network (obviously you have to
>pt your own addresses there).
>Add lines to your iptables like
>iptables -A INPUT -p tcp --dport 22 -j DROP
>iptables -A INPUT -p udp --dport 22 -j DROP
>to stop all external access to tcp and udp ports 22 (ssh).
>When you're satisfied that everything is allright, connect to the
>internet again.
And if he actually needs ssh? This is just silly advice in general. ssh is
one of the most secure ways of connecting in to a machine. IF he never
intends to connect in from outside, then of course switch off ssh. But if
he ever travels, that is a bad idea.
 |