[CentOS] pop3 attack

Bill Campbell centos at celestial.com
Wed Dec 10 00:23:43 UTC 2008


On Tue, Dec 09, 2008, Chris Boyd wrote:
>
>On Dec 9, 2008, at 2:33 PM, Bill Campbell wrote:
>
>> Once the cracker finds an account with a guessable password, they  
>> may well
>> be able to get access to your system as that user via ssh, webmin,  
>> usermin,
>> or other means.  Given shell access, the cracker can install user- 
>> level IRC
>> servers or gain root access via exploits that only work for local  
>> users.  I
>> have seen cases where crackers were able to change user shells and  
>> other
>> information via usermin or webmin by exploiting vulnerabilities in  
>> system
>> utilities thus gaining access to the system.
>
>You can keep compromised accounts from logging in via ssh with the  
>"AllowUsers" option in your /etc/ssh/sshd_config file.  Add that  
>option followed by a list of user names that you want to be able to  
>log in, ex:

By the time you know the user has been compromised, it's too late.

We normally don't allow password authentication with ssh,
requiring authorized_keys.  In the cases where we have to allow
password authentication, we severely restrict ssh acces using the
/etc/hosts.allow file.

Bill
-- 
INTERNET:   bill at celestial.com  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
Voice:          (206) 236-1676  Mercer Island, WA 98040-0820
Fax:            (206) 232-9186

Basic Definitions of Science:
    If it's green or wiggles, it's biology.
    If it stinks, it's chemistry.
    If it doesn't work, it's physics.


More information about the CentOS mailing list