[SWLUG] Possible SSH Attack

Matthew Willsher matt at monki.org.uk
Fri Jul 15 12:39:24 UTC 2011 

On 15 July 2011 09:00, Jon Reynolds <maillist at jcrdevelopments.com> wrote:

>  Thanks for the replies.
>
>  Well, for a start I do already run ssh on a non-22 port. I can easily
>  set up a group for ssh-only access (within my skills).
>
>  As for the pop side of things, I'm afraid my understanding of the mail
>  server is lacking a little. I kind of blindly fumbled my way through
>  setting it up following an online tutorial and it works, but that's as
>  far as my knowledge goes really.
>
>  I access my mail via IMAP on my phone, roundcube via a browser or mutt
>  directly in an ssh session. I 'think' I don't need POP3 but how to
>  configure this to help my security problem is still a bit beyond me.
>

Are you running a firewall on the server? If so, block port 110. If not, get
one set up and allow by exception. It may be other services are also
exposed. nmap <your remote ip> from a remote server will show up what's
listening (I've found ec2 handy for these sorts of checks). netstat -anp as
root will show you want is listening on UDP and TCP along with the process
associated and often the best place to start.

Regarding firewalls, I recommend Shorewall if you've got time to learn it.
It's easy to manage, has sensible defaults and is well documented and
updated. freshmeat.net will list other firewall software that makes iptables
a little easier if you've not used it before.


>  I did think I had followed a tutorial to set up  my mail as SLS but it
>  didn't seem to work, at least when I tried my credntials in my mail
>  client as SLS(or TLS not sure the diff) it wouldn't work, put in
>  credentials as just plain login and it worked, so I have left it at
>  that...again naively thinking, who would want to get into my system, I
>  have nothing of interest. Seems I was wrong!
>

You have a machine on the Internet - that's always of interest to some one
:)


>  Will start with the extra security of adding a group.
>

Get the system update and  focus on shutting down or, as a  short term fix,
firewalling off unused services. They're the biggest risk to your system.

Have fun :)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/swlug/attachments/20110715/f7ece8f7/attachment.html>

More information about the Swlug mailing list