On Dec 9, 2008, at 2:33 PM, Bill Campbell wrote:
Once the cracker finds an account with a guessable password, they may well be able to get access to your system as that user via ssh, webmin, usermin, or other means. Given shell access, the cracker can install user- level IRC servers or gain root access via exploits that only work for local users. I have seen cases where crackers were able to change user shells and other information via usermin or webmin by exploiting vulnerabilities in system utilities thus gaining access to the system.
You can keep compromised accounts from logging in via ssh with the "AllowUsers" option in your /etc/ssh/sshd_config file. Add that option followed by a list of user names that you want to be able to log in, ex:
# Only let Fred Guru and Joe Admin in, block anyone # else even if they have a valid password. AllowUsers fred joe
And you should also set "PermitRootLogin no" while you are in sshd_config.
Be sure to do a "service sshd restart" after you change the file, and do a test login _before_ you log out of your current session. Saves cursing and late night drives to remote servers in case sshd barfs somehow :-)
--Chris