On Friday 31 March 2006 19:29, John Summerfield wrote: >Gene Heskett wrote: >> We've cut our bandwidth use in half by getting rid of that. We also >> checked the logs and added several dozen more addresses >> to /etc/hosts.deny, > >That is fairly useless. IP addresses of attackers change as quickly at >IP addressess of spammers, and they have so many it's like trying to >fence off the porn sites of the world. > >More important is to discover how the rogue gained entry and to close >that loophole. How did the shell script get there? Whose account was >used? Does .bash_history include useful clues about what was done? Did >the attacker send email after gaining entry? If so, the recipent > domain (eg Yahoo) may be interested. > >Root's account, eh? Disallow password-based authentication for root. >Ensure that only those who need it have shell accounts, and that those >have good passwords. _I_ have incoming ssh land on my personal > desktop, there there is only my password to worry about. root ssh is denied. To do normal maintainance we log in as ourselves & su -. -- Cheers, Gene People having trouble with vz bouncing email to me should add the word 'online' between the 'verizon', and the dot which bypasses vz's stupid bounce rules. I do use spamassassin too. :-) Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2006 by Maurice Eugene Heskett, all rights reserved.