On Mon, May 19, 2008 at 11:12 PM, Tim <ignored_mailbox@xxxxxxxxxxxx> wrote: > Vijay Krishnan: >> I have Fedora 5 and 6 installed on my machines. I strangely find >> that I am often unable to login to the machine with my regular >> password using ssh. Fortunately I have physical access to the machine, >> which allows me to change the password back. > > Are you changing it back, or just setting the same password again? The > first would indicate someone's changing it on you. The latter a fault > (you're presuming it's changed, because you couldn't log in, but > something else might be preventing the log in). > > If you keep changing it back to a password that a hacker has already > worked out, then you're not doing anything to protect yourself. Set a > new password, a damn good one. > > If you've been hacked, the simplest resolution is a fresh install, being > very careful about what you put back on the new system from your old > installation. Don't re-install a trojan. > > Otherwise, if you're going to try and keep on using your existing > installation, you're going to need to check, very thoroughly, for a > trojan. Which may well be a "rootkit" (one designed to give root access > to a box, and to be quite well hidden from discovery). > > Afterwards, install something like the fail2ban package. Then, someone > trying to ssh in to your machine only gets a limited number of attempts > before their IP is locked out. That makes it much harder for a hacker > to keep on trying to break it, the only way around for them to keep on > attempting is to come at you from numerous different IPs. > > Where do you need to be able to ssh into the machine from? If it's just > within your LAN, then firewall the ssh port off from the internet. If > you do need to access it from the net, then still firewall it off, but > open through some holes from the locations you need to access it from. > That'll limit hacking possibilities, too. > > Wireshark can be useful here to, you might leave it running on a separate machine plugged into the same switch, make sure the switch doesn't have vlans setup or you won't be able to capture all the traffic in promiscuous mode or you could tap the wire feeding the switch if you can't reconfigure the switch or run the net connection through another machine that feeds the box in question so you can watch the traffic. There are many ways to skin this cat. Of course it helps if you have monitored the traffic on your lan before , otherwise you'll be using whois alot or dig or nslookup . Pen testing is a whole subject by itself and there are distros out there dedicated to just that, many of the tools and methods for pentesting can be used to get information on an attacker, here the reconaissance techniques are useful but all this presupposes you've been hacked, which really hasn't been established yet but you know what they say "Just because your paranoid doesn't mean they are not out to get you." By the way configuring the filters on wireshark can be a bit of pain , especially if your long on ideas but short on experience like me, but properly setup filters, i learned by trial and error and google, can make life much easier. Filtering things like STP out can make the output much easier to read, filtering out known good traffic will only leave the unknown. That's much easier than trying to sift through all the traffic produced on a typical lan, you'd be surprised by how much there is, depending on the size of the lan. Max -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
