Mailinglist Archive: opensuse (3531 mails)

< Previous Next >
Re: [opensuse] errant 'who' behavior
  • From: Randall R Schulz <rschulz@xxxxxxxxx>
  • Date: Wed, 3 Jan 2007 09:14:27 -0800
  • Message-id: <200701030914.27195.rschulz@xxxxxxxxx>

On Wednesday 03 January 2007 08:51, Carl Hartung wrote:
> On Wednesday 03 January 2007 10:38, Randall R Schulz wrote:
> <snipped an *awesome* reply for my 'kit bag'>
> Thanks a lot Randall, I really appreciate the feedback.
> I'm booted into a fresh 10.2 right now and 'who' works as expected.
> The problem is I can't remember how long ago it was I interrupted an
> actual break-in into my 10.0 system. Someone 'cracked' <roll eyes>
> the ISP-supplied DSL modem 'Admin' 'Password' hurdle and logged into
> my box via ssh. (I honestly didn't even know this existed! It was
> delivered as a 'modem'... the routing functions weren't discussed
> anywhere in the supplied literature and the default config had the
> built-in NAT-based firewall turned *off*!)

Any good router or modem that is smart enough to have an administrative
interface should have an option to prevent logging in from the outside
(the "wild" Internet) and to accept administrative logins and commands
only from the interior side. Unless you really need to do remote
administration, you should find and disable the remote administrative
access entirely.

> This is when I discovered that 'who' wasn't working correctly and
> suspected someone was logged in, I immediately physically severed the
> net connection at the modem and upgraded everything to *really long*
> passwords plus a very complex router 'Admin' name.

The utmp corruption could well have been a deliberate attempt to obscure
the intruder's presense.

> I also disabled remote root logins into my box and installed
> rkhunter. All subsequent scans have been either 'OK' or 'clean'.
> I never see unusual network activity at the router LEDs or in ntop or
> netstat, but I haven't been able to restore 'who' to it's former
> glory and my confidence level in the security of that installation
> isn't back to normal.

Utmp and wtmp only record successful logins. You can see failed
attempts, including ssh attemptws, in /var/log/messages.

> So, thanks again for the clues, Randall. Much appreciated!

Pro noblemo.

> Carl

To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >