[net] user connection to sshd

Jason K Larson plug at candlefire.org
Sun Jul 10 02:02:46 MDT 2005


If there were in fact established connections then you best pull out the
likes of chkrootkit or rkhunter because you almost definitely have been

Anyone can jump on the anti-redhat bandwagon for this, while that isn't
my goal here, RH8 is especially susceptible for its short lived lifespan
and complete lack of updates to critical services and the kernel.

Is your sshd_config allowing any other mechanisms for login, perhaps
something via pam like ldap?  That could explain the lack of a local
account in the shadow file.  Is root an allowed user for remote
connections?  Perhaps what you are seeing now is a result of already
being compromised by another means.  There are plenty of other services
installed by RH8 that could be very worthy of taking a closer look into
as well.

Shutting down sshd is a good start but be aware that if the box has
compromised that the intruder likely has established a means to create
and hide backdoors.  If you have another server nearby it may prove a
worthy effort to sniff some traffic from your box and see if anything
unusual presents itself.

My first question that I would endeavor to solve is to determine if
there was in fact an intrusion and whether or not they were able to
obtain root privileges.

I won't bother at this point to go in to the advantages of running some
of security features being deployed in linux systems these days, but if
you'd like to think about it or take a look as to what they can offer
and how they work, then may I suggest reading up on grsec, pax and
selinux.  All three can work together to create a considerably secure
environment.  Some distributions even include methods to "harden" the
environment even more which even alone can provide a significantly more
resilient system. And yes, that was my Gentoo pitch in case you were
left wondering.


Jason K Larson

build a man a fire and he is warm for a day.
light a man on fire and he is warm for the rest of his life.

More information about the PLUG mailing list