[lug] Should I worry about: attempted hacks on boxes?

D. Stimits stimits at comcast.net
Sun Jul 6 15:57:58 MDT 2003

Eric Peers wrote:

> I've got a box on the web which is not publicly
> advertised at this point. But it looks like folks are
> trying to hack it. I've seen weird http requests (code
> red), and attempted logins for ssh. Is there anything
> I should do besides for read my logs periodically for
> this sort of activity? Is there a good toolkit that
> checksums major binaries to see if a system has been
> compromised?
> Do these look enough like attempted hacks? I've
> obviously turned off root logins to my box and
> disabled most other ports (ftp, telnet).
> [log]# more secure.1
> Jul  1 03:57:06 iceaxe sshd[642]: Did not receive
> identification string from
> Jul  1 04:00:24 iceaxe sshd[654]: Did not receive
> identification string from
> Jul  3 22:01:15 iceaxe sshd[13243]: Did not receive
> identification string from
> the first logins are from a machine in poland. The 2nd
> is from somewhere in china? Me & my girlfriend are the
> only ones logging into the box right now, and I know
> we're not in china or poland. Should I worry about
> these?

I just finished reading the book on snort, which is a rather impressive 
intrusion detection system, you may wish to check it out.

IMHO, the absolutely most important thing you can do is keep your 
software up to date. If it is redhat, get a KRUD subscription, and/or 
get on the redhat security advisory email list, and *quickly* download 
announced updates from ftp://updates.redhat.com.

D. Stimits, stimits AT comcast DOT net

More information about the LUG mailing list