I have a server box behind my ISP router at home, and I need to allow ssh access to my server. My ISP router doesn't let me allow selectively ssh from some IP. It allows ssh to everyone.
I have fedora10 and openssh-server-5.1p1-3. How can I configure openssh to allow just from 1 IP?
Does it use xinetd at all and the hosts.allow and .deny mechanism?
I know this is probably easy and if I only took a while to figure it out maybe I could but I have some stuff that needs to happen soon and I can't figure this out. I was wondering how I could have a log monitor that would email me whenever someone tries to login over ssh to my system. I'm open to everything daemons/scripts or cron itl works as I am not running a production server (but I might be starting that soon). Oh and just a side how do I get sent an email when I get port scanned
View 6 Replies View RelatedHow can I set up snort to only log and detect/capture logins using root or any of the "homeusers" login accounts or names?
View 9 Replies View RelatedI have an SSH server on my laptop, and I'm using the default configuration file, but I added "AllowUsers <myUserName>". I get lots of login attempts like the ones below in my /var/log/auth.log.From Google, I find that pam_winbind allows some kind of Windows authentication. This leaves me with 2 questions. What does winbind do when I have not configured any Windows/Samba accounts? How can I turn it off?
Code:
Oct 23 20:01:49 muon sshd[24329]: User root from 201.116.17.163 not allowed because not listed in AllowUsers
[code]...
I am running a ubuntu server 10.10 with SSH, and OpenVPN. I use it mainly for the VPN, but I have seen log in attempts such as:
Mar 22 14:52:53 UbuntuSvr sshd[2397]: Invalid user support from 85.217.190.69
Mar 22 14:52:55 UbuntuSvr sshd[2399]: Invalid user student from 85.217.190.69
Mar 22 14:52:57 UbuntuSvr sshd[2401]: Invalid user transfer from 85.217.190.69
Mar 22 14:52:59 UbuntuSvr sshd[2403]: Invalid user user from 85.217.190.69
[Code]...
Is it possible to make it so when some one has tried logging in 5 times with an invalid user/pass that the ip is banned for 10 minutes? I have password auth set to no and am using keys.
I'm trying to lock an account after a number of failed login attempts in a RHEL5.
This is the relevant configuration in /etc/pam.d/system-auth
In the logs I can see how the count of failed logins increase and exceeds my deny option but the account isn't locked
Do I need any other option in the PAM file? Is there any other way to lock an account?
I want to count the failure root login attempts so that do an action when the user faild to login as root for three consecutive times (like log a line in syslog).
View 4 Replies View RelatedI'd like to limit login attempts for specific user. I've found information in manpages: [URL]but I'm not sure if this '@' is purposly there, so would be that correct?
Code:
aparaho - maxlogins 4
or
Code:
@aparaho - maxlogins 4
Maybe '@' is a group syntax? I'm confused.
What happens after 4 failed loggins? Is it enough to restart system to get another login attempts?
Are there any other values that it is reasonable to limit for safety reasons?
I am trying to get OpenLDAP to authenticate user logins, but running around in circles. Are there any logs produced by either client and/or server that would indicate possible reasons why it was unable to login as a user?Below is an explanation, any ideas would be appreciated, as I think everything is setup as per the various articles on using LDAP.
I have a CentOS 5.5 OpenLDAP server, and several others, some host services, some are file shares (samba).So far I have been able to successfully configure OpenLDAP to carry out all the ldap* commands from both the local server and from any of the remote servers, either via non-ssl or ssl connections. However, as soon as I try connecting any services up to it, it doesn't play ball.Back to basics, having cleared off all previous attempts at this from all machines, I have gone through the following:
Installed OpenLDAP server/client on host (plus nss_ldap).
Configured /etc/openldap/slapd.conf (see below)
Configured /etc/openldap/ldap.conf (see below)
[code]...
Is there an ssh or sshd parameter that can be set to block out a user after a set number of attempts tp login ?
View 1 Replies View RelatedI am using denyhosts on a server so in a config file/etc/denyhosts.confthe following value is setQuote:DENY_THRESHOLD_INVALID = 3which as per their configuration file saysQuote:
DENY_THRESHOLD_INVALID: block each host after the number of failed login
# attempts has exceeded this value. This value applies to invalid
# user login attempts (eg. non-existent user accounts)
[code]...
how to prevent the execution of the following commands or how to set a policy or rule that prevents the execution of the following malicious commands
dd if=/dev/zero of=/dev/sda
rm -rf /
After visiting (and being booted from) pclinuxos.com's forum, I am getting the following error message on my system:Could not grab your mouse. A malicious client may be eavesdropping on your session or you may have just clicked a menu or some application just decided to get focus. Try again. I get this if I try to launch Unetbootin, Synaptic, Firewall... Did they put something into my puter? Or is some stuff simply broken after the latest update?
View 3 Replies View RelatedA computer security researcher has released a plugin for Firefox that provides a wealth of data on Web sites that may have been compromised with malicious code.
The plugin, called Fireshark, was released on Wednesday at the Black Hat conference. The open-source free tool is designed to address the shortcomings in other programs used to analyze malicious Web sites, said Stephan Chenette, a principal security researcher at Websense, which lets Chenette develop Fireshark in the course of his job.
How do I limit the max login attempts in the sshd_config file? I found a way to do it on Google some time back but I can't find it now. I have Denyhost already, but I really wanna do the "MAx Login Attempts" what ever it was that I was able to do in the config file.
View 2 Replies View RelatedHow can failed user attempts logs can be seen.
Also why /etc/login.defs file is used ?
Does anyone know if vsftpd logs successful and failed logon attempts anywhere? I grep'd my /var/log directory and didnt find anything. or if it can, do you know how to enable it?
View 12 Replies View RelatedI'm running the firestarter firewall and its been showing the odd ssh attempt quite often. e.g. I've had 4 attempts today, 3 in the last 40mins. I realize that this may be nothing to serious but it's got me curious, aside from having a secure password (which I have) is there anything that else that I can do to ensure that my system is as secure as possible from ssh? I do use ssh within my home network so I don't want to disable it completely.
View 9 Replies View RelatedI run SSH on a publicly open server and see following attempts in /var/log/auth.log which I was told by some one could be port scanning attempts.(Not sure though)
Code:
Nov 18 23:50:19 server sshd[21716]: Did not receive identification string from 186.0.80.197
Nov 19 00:05:57 server sshd[24056]: Did not receive identification string from 85.108.110.66
How can I block above such attempts?
How does one unlock an account when it is locked by too many failed attempts for login?
View 1 Replies View RelatedSomehow an app on this box seems to have disappeared long ago which was configured to start immediatedly with a root login (eg su). Now, whenever upgrading permissions to root or logging (and assuming login as root), an error displays saying "cannot find <application>"
Considering root usually is different than other logins, am not sure where to start looking on an OpenSuSE box. I've tried without success
BASH -v to enable verbose mode before executing a "su."
BASH --debugger to enable debugging mode before executing a "su."
Logout, Login as root and inspect /var/log/ hoping to find some logfile that audits the login sequence, but may be looking at a wrong logfile.
I think someone has been in my apartment when I'm at work and attempted to login to my computer.
Rather than searching through all the logs, is there any way for Conky to display the last 2 or 3 login attempts?
I'm trying to learn Linux by myself and i have a list of projects. for this project i have to use the grep command to show all failed login's attempts in my machine.
I believe the attempts are saved at /var/share/messages.log but i cannot figure it out.
My server (CentOS 5.4) is being bombarded 24x7 with IP addresses from China trying to exploit phpMyAdmin. For every one I block on the firewall, half a dozen come to the funeral! It's a pity these morons don't have something better to occupy their time. I'm getting page after page of this (see below) every day and it's been going on for weeks. I don't even have phpMyAdmin on the server. I don't use it and I deleted it.
I've read that you can use .htaccess and / or mod_rewrite to redirect / block them based on any query for phpMyAdmin (they try all letters in upper and lower case, leading to page after page). Unfortunately, I have no idea of how to do this. I already have an .htaccess file. Maybe someone can suggest what to add to stop these pests from wasting my bandwidth and suggest somewhere I could redirect them to to cause them maximum problems. I don't want to block the entire country, seems a bit like overkill, not all Chinese are morons. we aren't even in the USA, so why they are doing this is beyond me.
A TINY sample!
[Sun Aug 08 13:29:08 2010] [error] [client 61.191.41.53] File does not exist: /var/www/corp/phpMyAdmin-2.7.2
[code]...
currently I'm fiddling around with mod_security for apache2 configurations on CentOS boxes, right now in a test environment first (i.e. separate non production box).CentOS includes the mod_security "Core Rule Set" by Breach Security Inc, the devs behind that module.So far all's running mostly, logs/auditlogs etc.For simple testing, I made a small php form as following:
Code:
<?php
$link = mysql_connect("localhost",$user,$pass); //un/pw obfuscated for forum post
[code]...
On my server I some times login from my home where I have an internet connection which does not have a static IP each time I switch on my modem a dynamic IP isgenerated.I see in auth.log logs of following lines Quote:reverse mapping checking getaddrinfo forkkts-kk-dynamic-01.1.168.192.some_broadband.in [192.168.1.2] failed - POSSIBLE BREAK-IN ATTEMPT Accepted publickey for root from 192.168.1.2 port 22852 ssh2when ever I login to my server from home.In this case I do know that it was me who logged in but still why do I see such a log.What is this complaining about?
View 11 Replies View RelatedYesterday I applied the su security patch to my openSuSE 11.2 x86_64 system.After applying the patch, any attempt at su failed, and after rebooting the system earlier this morning any login (root, user, otherwise) fails with a "Permission Denied".Is it possible that the su update somehow messed up my (standard) pam settings?
View 10 Replies View RelatedFor about a week now I've been seeing mass attempts to relay through postfix and login to dovecot from the same 2 addresses, none are successful due to how postfix/dovecot are configured and I wouldn't be overly worried but my isp have picked up on it and are nagging at me
What ways do people go about just dropping connection attempts from offending addresses/ranges when stuff like that happens? An ideal thing would be something that detects repeated failed attempts from a host or range and subsequently ignore/ban them, perhaps for a specified length of time, something along the lines of denyhosts and fail2ban for ssh would be great Don't know if there's anything out there or just a plain tried and trusted method anyone might use for stuff like this, if not a hint on the most appropriate way to go about it 'manually' would do
Having recently gone on an interview with a company that attempted to con me into writing malware for Linux desktops (which made the assumption that javascript and flash were present), I am concerned about this.I have a fresh install of Ubuntu 9.10 desktop x86-64. I wanted to download a free documentary via bit torrent but don't trust bit torrent sites and needed to be able to search for seeds from the client. I installed Vuze (formerly Azureus) from repo. I opened the client and searched for my file and BLAMO!, twenty or so notices came up about me needing an anti-virus, trojans being on computer, etc. Clearly this phishing attempt was directed at a Windows machine, however the behavior of the application is unacceptable. I haven't checked to see if any files were downloaded or nasty tracking cookies created (though I did get one prompt for my password), but I was curious: Is there a place to report potentially malicious or unsound applications in an Ubuntu recognized repo?
View 8 Replies View RelatedYesterday, I updated my system with the latest security update and other software updates. Following the update, I am not able to log into the system after restart.As usual, I was prompted with the login page which looks as per normal. I chose my login id and entered my password. It brings me briefly to my desktop showing only my wallpaper (without any upper and bottom taskbars/panels). Then the screen went blank and the login page appeared again.I entered the login id and password, was shown the desktop wallpaper, screen went blank and the login page appeared. This continues over and over and over. After multiple tries and with some luck, I am able to log in as per normal.What seems to be the problem?
1. How do I check the system for errors?
2. How do I check which update has been updated?
3. Is there any way for me to restore to its original state (I migrated from FC10 to FC11 via yum update)?
The only other change apart from the security update is that I installed wine - which has been uninstalled the moment I was able to re-logged in.I attach the details of my grub.conf file below which I hope could be of some useful info.