On Thu, Mar 29, 2001 at 09:45:05PM -0800, John Marsh wrote:
>Well I should have listened to Joe Hartman and installed secure
>shell. I was busted and someone got into my Cobalt RaQ4 server.
>They posted a Kill the "[we won't say]" page as the home page
>for each 6 of my virtual sites. They also changed the root
>password. What a pain.
>
>So I was wondering what is the best secure shell to use;
>and how can I set up the server to only accept telnet traffic
>from certian IPs?
>
OpenSSH, the latest version, is probably the ssh of choice; although
Kermit can do encrypted telnet as well. For the "telnet only from
12.34.56.78", i would probably do it with tcpd; set up the telnet
or ssh daemon to use tcpd, and in /etc/hosts.allow, allow connection
from the hosts you want; then in /etc/hosts.deny, deny ALL EXCEPT
the hosts you want.
Mike would no doubt do it thru IPMunge in the kernel.
>Yes I'm new to Linux and appreciate any help. Also what file
>would I look at to see the telnet traffic maybe the guy didn't
>cover his tracks and I could look for patterns in the ip
>addresses.
That would depend on the exact logging setup on your box; i'd start
with /var/log/messages, then /var/log/daemon.log, and the other /var/log
stuff; if you have process accounting, "last" and "lastcomm" can be
helpful, as can shell history files. If the intruder did any degree of
cleanup, determining the whole story can be a real pain; it seems one has to
develop a familiarity with the normal state of one's box, and a zenlike
awareness of unrightness.
--
"There are two major products that come out of Berkeley:
LSD and UNIX. We don't believe this to be a coincidence."
-Jeremy S. Anderson
