Carl, On Wednesday 03 January 2007 08:51, Carl Hartung wrote:
On Wednesday 03 January 2007 10:38, Randall R Schulz wrote: <snipped an *awesome* reply for my 'kit bag'>
Thanks a lot Randall, I really appreciate the feedback.
I'm booted into a fresh 10.2 right now and 'who' works as expected.
The problem is I can't remember how long ago it was I interrupted an actual break-in into my 10.0 system. Someone 'cracked' <roll eyes> the ISP-supplied DSL modem 'Admin' 'Password' hurdle and logged into my box via ssh. (I honestly didn't even know this existed! It was delivered as a 'modem'... the routing functions weren't discussed anywhere in the supplied literature and the default config had the built-in NAT-based firewall turned *off*!)
Any good router or modem that is smart enough to have an administrative interface should have an option to prevent logging in from the outside (the "wild" Internet) and to accept administrative logins and commands only from the interior side. Unless you really need to do remote administration, you should find and disable the remote administrative access entirely.
This is when I discovered that 'who' wasn't working correctly and suspected someone was logged in, I immediately physically severed the net connection at the modem and upgraded everything to *really long* passwords plus a very complex router 'Admin' name.
The utmp corruption could well have been a deliberate attempt to obscure the intruder's presense.
I also disabled remote root logins into my box and installed rkhunter. All subsequent scans have been either 'OK' or 'clean'.
I never see unusual network activity at the router LEDs or in ntop or netstat, but I haven't been able to restore 'who' to it's former glory and my confidence level in the security of that installation isn't back to normal.
Utmp and wtmp only record successful logins. You can see failed attempts, including ssh attemptws, in /var/log/messages.
So, thanks again for the clues, Randall. Much appreciated!
Pro noblemo.
Carl
RRS -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org