[CentOS] pop3 attack
Chris Boyd
cboyd at gizmopartners.com
Tue Dec 9 23:43:27 UTC 2008
On Dec 9, 2008, at 2:33 PM, Bill Campbell wrote:
> Once the cracker finds an account with a guessable password, they
> may well
> be able to get access to your system as that user via ssh, webmin,
> usermin,
> or other means. Given shell access, the cracker can install user-
> level IRC
> servers or gain root access via exploits that only work for local
> users. I
> have seen cases where crackers were able to change user shells and
> other
> information via usermin or webmin by exploiting vulnerabilities in
> system
> utilities thus gaining access to the system.
You can keep compromised accounts from logging in via ssh with the
"AllowUsers" option in your /etc/ssh/sshd_config file. Add that
option followed by a list of user names that you want to be able to
log in, ex:
# Only let Fred Guru and Joe Admin in, block anyone
# else even if they have a valid password.
AllowUsers fred joe
And you should also set "PermitRootLogin no" while you are in
sshd_config.
Be sure to do a "service sshd restart" after you change the file, and
do a test login _before_ you log out of your current session. Saves
cursing and late night drives to remote servers in case sshd barfs
somehow :-)
--Chris
More information about the CentOS
mailing list