Am Di, den 14.09.2004 schrieb James Kosin um 15:27: > Just an update: > ~ 1) I've noticed some traffic on the net recently trying to access > port 111 (I have it blocked on my server). Those that don't know should > really think about blocking this port from the outside using iptables. > Be sure not to block your lo interface for this port. Thank you for this information, James. Maybe at least it points the attraction of root users (admins) to the fact, that the portmapper, which is port 111, is open on many systems for outside connects by default. > ~ 2) I've also made it so root can not login via ssh. This was to > circumvent some of the problems with the recent sshd attacks. To block > or not allow root to login, change the /etc/ssh/sshd_config file and add > a line that has 'DenyUsers root' > ~ This change does not block the attempt; but, it does block root from > loging in. You can still login as a normal user and do an 'su -' to get > root. One way, or disallow password authentication configuring the same file and setup public key auth for ssh. To prevent to let the script kids find their target on my hosts running a public available sshd, I changed the listening default port from 22 to something different. Comment: this is no security setting, but to get rid of these simple script attacks only targeting port 22. I do not like to have the logs flooded by attack alarms. > James Kosin Alexander -- Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13 Fedora GNU/Linux Core 2 (Tettnang) kernel 2.6.8-1.521smp Serendipity 16:49:54 up 15 days, 14:06, load average: 0.09, 0.17, 0.09
Attachment:
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
