[CentOS] pop3 attack

Chris Boyd cboyd at gizmopartners.com
Tue Dec 9 23:43:27 UTC 2008


On Dec 9, 2008, at 2:33 PM, Bill Campbell wrote:

> Once the cracker finds an account with a guessable password, they  
> may well
> be able to get access to your system as that user via ssh, webmin,  
> usermin,
> or other means.  Given shell access, the cracker can install user- 
> level IRC
> servers or gain root access via exploits that only work for local  
> users.  I
> have seen cases where crackers were able to change user shells and  
> other
> information via usermin or webmin by exploiting vulnerabilities in  
> system
> utilities thus gaining access to the system.

You can keep compromised accounts from logging in via ssh with the  
"AllowUsers" option in your /etc/ssh/sshd_config file.  Add that  
option followed by a list of user names that you want to be able to  
log in, ex:

# Only let Fred Guru and Joe Admin in, block anyone
# else even if they have a valid password.
AllowUsers fred joe

And you should also set "PermitRootLogin no" while you are in  
sshd_config.

Be sure to do a "service sshd restart" after you change the file, and  
do a test login _before_ you log out of your current session.  Saves  
cursing and late night drives to remote servers in case sshd barfs  
somehow :-)

--Chris



More information about the CentOS mailing list