What you should keep in mind is that you should never allow ROOT to logon remotely. You can disable that in the SSHD conf file by changing the #PermitRootLogin yes entry to PermitRootLogin no Then do a restart of sshd You should always login as a regular user and then either sudo the privileged commands you want to run or su to root. Message: 3 Date: Fri, 29 Jan 2010 22:47:26 -0800 From: Jose R R <jose.r.r@xxxxxxxxxxx> To: General Red Hat Linux discussion list <redhat-list@xxxxxxxxxx> Subject: Re: help Message-ID: <a81fae451001292247s1bb3b940i7e7ef28b9bd30c8e@xxxxxxxxxxxxxx> Content-Type: text/plain; charset=ISO-8859-1 On Wed, Jan 27, 2010 at 9:59 PM, Joy Methew <ml4joy@xxxxxxxxx> wrote: > Hello all, > ? ? ? ? ? ? ? ? ? ?i m using RHEL5.3 as a my mail server with real ip.i > configure my system mostly remotely.last login time of my system 27 jan > from ? this ip 118.129.153.43. > than i try to login at 28 jan in morning so i can`t got authentication as > root from my last password. > than i reboot the system reset my password. > i login as a root than i run "last" command i m sending tha first 10 lines > of last command...i thinks someone hack my system.i am sending history > command output. > now i remove .ssh directory and /var/tmp/* > > please suggest wat is this?? > > thanks > > last command out put: > root ? ? pts/1 ? ? ? ?117.199.118.234 ?Thu Jan 28 10:58 ? still logged in > root ? ? pts/0 ? ? ? ?117.199.118.234 ?Thu Jan 28 10:49 ? still logged in > root ? ? tty1 ? ? ? ? ? ? ? ? ? ? ? ? ?Thu Jan 28 10:48 - 10:52 ?(00:04) > reboot ? system boot ?2.6.18-128.el5PA Thu Jan 28 10:45 ? ? ? ? ?(00:25) > root ? ? pts/2 ? ? ? ?165.red-79-153-1 Thu Jan 28 01:42 - 01:52 ?(00:09) > root ? ? pts/2 ? ? ? ?165.red-79-153-1 Wed Jan 27 23:02 - 01:27 ?(02:25) > root ? ? pts/2 ? ? ? ?165.red-79-153-1 Wed Jan 27 22:33 - 22:34 ?(00:00) > root ? ? pts/3 ? ? ? ?165.red-79-153-1 Wed Jan 27 22:32 - 22:33 ?(00:00) > root ? ? pts/2 ? ? ? ?118.129.153.43 ? Wed Jan 27 22:31 - 22:32 ?(00:01) > root ? ? pts/2 ? ? ? ?117.199.114.189 ?Wed Jan 27 15:47 - 15:51 ?(00:03) > > What is 165.red-79........this is nt my ip. > > > History Output Here is an interesting twist on the story. On January 29 at 16:01:26 (America/Tijuana time zone or GMT-8) IP 118.129.153.43 attempted to log into my host using root username. After a couple(actually 3) tries it was blocked and I have notified security@xxxxxxxx, cert@xxxxxxxxxxxx Jan 29 16:01:26 [myHost-name] sshd[5758]: User root from 118.129.153.43 [...] Jan 29 16:01:26 [myHost-name] sshd[5758]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=118.129.153.43 user=root Jan 29 16:01:26 [myHost-name] sshd[5760]: User root from 118.129.153.43 [...] Jan 29 16:01:26 [myHost-name] sshd[5760]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=118.129.153.43 user=root Jan 29 16:01:26 [myHost-name] sshd[5761]: User root from 118.129.153.43 [...] Jan 29 16:01:26 [myHost-name] sshd[5761]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=118.129.153.43 user=root Jan 29 16:01:28 [myHost-name] sshd[5758]: Failed password for invalid user root from 118.129.153.43 port 62771 ssh2 Jan 29 16:01:28 [myHost-name] sshd[5760]: Failed password for invalid user root from 118.129.153.43 port 56897 ssh2 Jan 29 16:01:29 [myHost-name] sshd[5761]: Failed password for invalid user root from 118.129.153.43 port 48669 ssh2 Best Regards. -- Jose R R http://www.metztli-it.com --------------------------------------------------------------------------------------------- IBM Lotus Symphony supported on GNU/Linux, Mac OS, and Windows. --------------------------------------------------------------------------------------------- Daylight Saving Time in USA & Canada starts: Sunday 08 March 2009 --------------------------------------------------------------------------------------------- -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
