That was one of the points I made in my original (and it seems, heavily chopped when someone responded to my response) response to someone who had their root account compromised. They included an excerpt from their warn and messages files which showed what appeared to be a dictionary attack on root, which eventually succeeded. The individual then proceeded to make another account for themselves on the machine and also apparently changed the root password... One of my suggestions was to deny root login via telnet. Another was to NOT use words in the password for root, but instead use randomized alpha-numerics. Of course deny access to that particular domain (the log showed two different IP's from the same domain, so it MAY be a dumb-ass who doesn't know how to spoof their IP doing a "script attack") may also be an option... Strangely enough MY system as yet to be compromised, though it isn't available on the net 24/7 either. It DOES have dialin capability though...
I thought the normal procedure was to telnet in, then su root, as opposed to directly telneting in as root.
Someone please clarify!
On Tue, 1 Dec 1998, Torvald Baade Bringsvor wrote:
On Tue, 1 Dec 1998 wizard01@impop.bellatlantic.net wrote:
On a several occasions, somebody has managed to break into my networked SuSE Linux box and do some damage. On two occasions, the damage has made it impossible for me to log in to my own site.
If you *have* to enable root logins (not likely), please study the man pages of tcpd, and see if you can use it to limit the number of hosts who can log into your server.
-Torvald
- To get out of this list, please send email to majordomo@suse.com with this text in its body: unsubscribe suse-linux-e
- To get out of this list, please send email to majordomo@suse.com with this text in its body: unsubscribe suse-linux-e
- To get out of this list, please send email to majordomo@suse.com with this text in its body: unsubscribe suse-linux-e