From owner-freebsd-questions@FreeBSD.ORG Mon Oct 18 06:42:29 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 40D0F16A4CE for ; Mon, 18 Oct 2004 06:42:29 +0000 (GMT) Received: from mproxy.gmail.com (rproxy.gmail.com [64.233.170.192]) by mx1.FreeBSD.org (Postfix) with ESMTP id E169543D48 for ; Mon, 18 Oct 2004 06:42:26 +0000 (GMT) (envelope-from subhro.kar@gmail.com) Received: by mproxy.gmail.com with SMTP id v18so67196rnb for ; Sun, 17 Oct 2004 23:42:26 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=oQjv6igA2i4G3P0P+EAn5w15uUtZNptAO+fltG78By9TqoUEaks/tAsTGc6kUjpuJr6t3yfNw9rJuHk5QTfYUfSGL/LO6m9iXIRLjH1uLyp2Yngb35IHbSEQgzIp4xyz1xO8TPH81OTGUc+bKyAeAHcfxIyPByaR/IgQ7AfxS7Y Received: by 10.38.179.56 with SMTP id b56mr390133rnf; Sun, 17 Oct 2004 23:42:26 -0700 (PDT) Received: by 10.38.206.40 with HTTP; Sun, 17 Oct 2004 23:42:26 -0700 (PDT) Message-ID: Date: Mon, 18 Oct 2004 12:12:26 +0530 From: Subhro To: Odhiambo Washington , FBSD-Q In-Reply-To: <20041018055122.GB35360@ns2.wananchi.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <20041018055122.GB35360@ns2.wananchi.com> Subject: Re: Are these attempts by password crackers?? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Subhro List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Oct 2004 06:42:29 -0000 On Mon, 18 Oct 2004 08:51:22 +0300, Odhiambo Washington wrote: > 1. Is this some virus or some crackers playing around? Yeh, someone is prolly trying to bruteforce your boxes. > 2. Why only on 5.2.1 systems and not on any of the 4.10 boxes that I > also run? Negative, a couple of my 4.10 boxes also reports the same. > 3. Am I supposed to be worried at all? Well, I am not ;) You need not worry if you have done these: 1. Set PetmitRootLogin to No in sshd_config. 2. Use Public/Private keypair for authentication to all the previledged accounts, i.e. the accounts which are member of wheel. 3. Try to avoid accesing foreign services (surfing, IRCing) from previledged accounts. 4. NEVER login as root. Instead su to root as required. 5. Do not include the current directory in $PATH to save the ./ when running a binary from the current directory. 6. Maintain an updated tripwire (or alike) database. 7. Do not run any service which you do not need to. 8. Generate a script to parse log files at regular intervals and add blocks for IPs in the border router which had been trying to bruteforce the box. 9. And last but not the least, do not allow any user a priviledge which he/she does not need to have. Regards S. -- Subhro Sankha Kar School of Information Technology Block AQ-13/1 Sector V ZIP 700091 India