Hi
I am only using ssh. Is it possible to have rsa-keys for all users,
including vyatta?
Maybe the attackers managed to brute force my password?
This is very anoying since I have to reinstall the machine tomorrow and
doesn't know what went wrong. Haven't had time to check the logs either.
How does the user configuration look for you other guys and girls?
2008/2/4, Stig Thormodsrud <[EMAIL PROTECTED]>:
>
> Hi Jostein,
>
>
>
> Are you using telnet or ssh to access the box? Using telnet in not secure
> from a public network as the username/password is in clear text.
>
>
>
> stig
>
>
> ------------------------------
>
> *From:* [EMAIL PROTECTED] [mailto:
> [EMAIL PROTECTED] *On Behalf Of *Jostein
> Martinsen-Jones
> *Sent:* Monday, February 04, 2008 2:43 AM
> *To:* Dave Strydom
> *Cc:* vyatta-users@mailman.vyatta.com
> *Subject:* Re: [Vyatta-users] Vyatta box hacked?
>
>
>
> Jupp, I think i have an intruder, the ip 202.172.171.217 isn't known to me
> at all.
> I am the only one knowing the root password, and I have not logged in
> those times that last are showing.
>
> root pts/0 202.172.171.217 Mon Feb 4 05:21 - 07:38 (02:16)
> root pts/0 202.172.171.217 Sat Feb 2 14:54 - 16:05 (01:11)
> root pts/0 202.172.171.217 Fri Feb 1 23:51 - 23:57 (00:05)
> root pts/0 202.172.171.217 Fri Feb 1 13:49 - 17:18 (03:29)
>
> How did this happen?
> I changed all the passwords on install to 8 character long, using numbers
> and letters.
> This is from my old config, are plaintext-password supposed to be blank?
>
> # show system login
> user root {
> authentication {
> encrypted-password: "$1$nZxxxxxxsgXC/"
> plaintext-password: ""
> }
> }
> user vyatta {
> authentication {
> encrypted-password: "$1$yyyyyyyyyyyt0/"
> plaintext-password: ""
> }
> }
>
> 2008/2/4, Dave Strydom <[EMAIL PROTECTED]>:
>
> Login to your router as root and run:
>
> # last | more
>
> and see if there are any logins to your machine which you do not
> recognize.
>
>
>
> On Feb 4, 2008 12:05 PM, Jostein Martinsen-Jones <[EMAIL PROTECTED]>
> wrote:
> > I got mail from another linux user today. He complained about login
> attempts
> > to his boxes, from my vyatta router!
> > Am I haxored or what? This is from his log and the "ip" 12.34.56.78 are
> my
> > router.
> >
> > Feb 2 18:11:39 88.191.40.120 sshd[30444]: (pam_unix) authentication
> > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78
> user=root
> > Feb 2 18:11:40 88.191.40.120 sshd[30444]: Failed password for invalid
> user
> > root from 12.34.56.78 port 42492 ssh2
> > Feb 2 18:11:46 88.191.40.120 sshd[30450]: User root from 12.34.56.78not
> > allowed because not listed in AllowUsers
> > Feb 2 18:11:46 88.191.40.120 sshd[30450]: (pam_unix) authentication
> > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78
> user=root
> > Feb 2 18:11:48 88.191.40.120 sshd[30450]: Failed password for invalid
> user
> > root from 12.34.56.78 port 42926 ssh2
> > Feb 2 18:11:54 88.191.40.120 sshd[30456]: User root from 12.34.56.78not
> > allowed because not listed in AllowUsers
> > Feb 2 18:11:54 88.191.40.120 sshd[30456]: (pam_unix) authentication
> > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=12.34.56.78
> user=root
> > Feb 2 18:11:56 88.191.40.120 sshd[30456]: Failed password for invalid
> user
> > root from 12.34.56.78 port 43408 ssh2
> > Feb 2 18:11:56 88.191.40.120 sshd[30494]: refused connect from
> 12.34.56.78
> > (12.34.56.78)
> > _______________________________________________
> > Vyatta-users mailing list
> > Vyatta-users@mailman.vyatta.com
> > http://mailman.vyatta.com/mailman/listinfo/vyatta-users
> >
> >
> _______________________________________________
> Vyatta-users mailing list
> Vyatta-users@mailman.vyatta.com
> http://mailman.vyatta.com/mailman/listinfo/vyatta-users
>
>
>
_______________________________________________
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
http://mailman.vyatta.com/mailman/listinfo/vyatta-users
