Additions:
==centos==
restart sshd
==ubuntu==
restart ssh (not sshd)
# /sbin/init.d/ssh restart
logout and check you cannot directly
$ ssh root@yourhost
restart sshd
==ubuntu==
restart ssh (not sshd)
# /sbin/init.d/ssh restart
logout and check you cannot directly
$ ssh root@yourhost
Deletions:
Additions:
then ssh in as a non root user
$ su -
# /sbin/service sshd restart
logout and check you cannot directly %%ssh root@yourhost%% !
$ su -
# /sbin/service sshd restart
logout and check you cannot directly %%ssh root@yourhost%% !
Additions:
== check for attacks ==
create whos-attacked-me-recently.sh
#
egrep "error|invalid" /var/log/secure | tail -30 > secure$(date +%y%m%d).log
sample attacks output
Apr 28 12:08:50 net sshd[20494]: input_userauth_request: invalid user tester
Apr 28 12:08:50 net sshd[20493]: pam_succeed_if(sshd:auth): error retrieving information about user tester
Apr 28 12:08:52 net sshd[20493]: Failed password for invalid user tester from 10.10.10.10 port 39509 ssh2
Apr 28 12:08:53 net sshd[20496]: input_userauth_request: invalid user ftpuser
Apr 28 12:08:53 net sshd[20495]: pam_succeed_if(sshd:auth): error retrieving information about user ftpuser
Apr 28 12:08:56 net sshd[20495]: Failed password for invalid user ftpuser from 10.10.10.10 port 39836 ssh2
Apr 28 12:08:57 net sshd[20499]: input_userauth_request: invalid user testuser
Apr 28 12:08:57 net sshd[20498]: pam_succeed_if(sshd:auth): error retrieving information about user testuser
Apr 28 12:08:59 net sshd[20498]: Failed password for invalid user testuser from 10.10.10.10 port 40184 ssh2
create whos-attacked-me-recently.sh
#
egrep "error|invalid" /var/log/secure | tail -30 > secure$(date +%y%m%d).log
sample attacks output
Apr 28 12:08:50 net sshd[20494]: input_userauth_request: invalid user tester
Apr 28 12:08:50 net sshd[20493]: pam_succeed_if(sshd:auth): error retrieving information about user tester
Apr 28 12:08:52 net sshd[20493]: Failed password for invalid user tester from 10.10.10.10 port 39509 ssh2
Apr 28 12:08:53 net sshd[20496]: input_userauth_request: invalid user ftpuser
Apr 28 12:08:53 net sshd[20495]: pam_succeed_if(sshd:auth): error retrieving information about user ftpuser
Apr 28 12:08:56 net sshd[20495]: Failed password for invalid user ftpuser from 10.10.10.10 port 39836 ssh2
Apr 28 12:08:57 net sshd[20499]: input_userauth_request: invalid user testuser
Apr 28 12:08:57 net sshd[20498]: pam_succeed_if(sshd:auth): error retrieving information about user testuser
Apr 28 12:08:59 net sshd[20498]: Failed password for invalid user testuser from 10.10.10.10 port 40184 ssh2
Additions:
so create a user account (that can "su -" on centos or has "sudo -i" rights on ubuntu) and disable root ssh
edit /etc/ssh/sshd_config and add / uncomment the following line
edit /etc/ssh/sshd_config and add / uncomment the following line
