[lug] Should I worry about: attempted hacks on boxes?
D. Stimits
stimits at comcast.net
Sun Jul 6 15:57:58 MDT 2003
Eric Peers wrote:
> I've got a box on the web which is not publicly
> advertised at this point. But it looks like folks are
> trying to hack it. I've seen weird http requests (code
> red), and attempted logins for ssh. Is there anything
> I should do besides for read my logs periodically for
> this sort of activity? Is there a good toolkit that
> checksums major binaries to see if a system has been
> compromised?
>
> Do these look enough like attempted hacks? I've
> obviously turned off root logins to my box and
> disabled most other ports (ftp, telnet).
>
> [log]# more secure.1
> Jul 1 03:57:06 iceaxe sshd[642]: Did not receive
> identification string from 80.55.196.26
> Jul 1 04:00:24 iceaxe sshd[654]: Did not receive
> identification string from 80.55.196.26
> Jul 3 22:01:15 iceaxe sshd[13243]: Did not receive
> identification string from 211.152.64.13
>
> the first logins are from a machine in poland. The 2nd
> is from somewhere in china? Me & my girlfriend are the
> only ones logging into the box right now, and I know
> we're not in china or poland. Should I worry about
> these?
I just finished reading the book on snort, which is a rather impressive
intrusion detection system, you may wish to check it out.
IMHO, the absolutely most important thing you can do is keep your
software up to date. If it is redhat, get a KRUD subscription, and/or
get on the redhat security advisory email list, and *quickly* download
announced updates from ftp://updates.redhat.com.
D. Stimits, stimits AT comcast DOT net
More information about the LUG
mailing list