On Sat, 2010-08-28 at 01:22 +0100, Daniel Case wrote: > Hi there, > > One of my servers has recently been attacked, it has one remote SSH > user which cannot run 'sudo', i made it like that so that if it was > comprimized, no-one would be able to do much. > > However, someone managed to gain the password to that account on the > server then used "vi /etc/passwd" to gain a list of users, then > launched a bruteforce using su against my admin account. > (that's what I can gather from the logs) > > This did not get very far before I saw and kicked the user off and > changed all of the passwords, but I would like to know how to prevent > this sort of thing happening again. > > I need to know mainly how to stop the SSH user running su in the first > place and how to stop the user seeing files like /etc/passwd > > Anyone have any suggestions?
Denyhosts is quite useful in stopping brute force attacks. After so many failed attempts it just blocks the attacking IP. -Matt Daubney -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/