Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
In /var/log/messages i've got many lines like these, with a different user name for each pair.
May 17 12:18:04 host21 sshd[mmmmm]: Invalid user magnos from nnn.nnn.nn.n
May 17 12:18:04 host21 sshd[mmmmm]: Failed password for invalid user magnos from nnn.nnn.nn.n port ppppp ssh2
And there are hundreds of these names. These users are not in /etc/passwd. What would the meaning of this be? Bear in mind my machine is connected to the outside world by two and only two channels: the console and my ISP, and that i'm the only only one who sits at the console. Thanks for reading.
People are trying to log in to your ssh server, guessing passwords. This procedure is most likely entirely automated on the attacker's part but it's often quite wise to move the ssh listening port from port 22 to something non-standard if your machine is connected to the outside world.
Also, ssh blacklisting/whitelisting allows you to automatically deny all connections from, say, countries other than your own.
A slightly more targeted variant would be to use tools like
blockhosts, fail2ban, et al. to deny repeated login-attempts
to IPs with e.g. 3 failed attempts for an hour, which makes
brute force attacks far less likely to succeed w/o having to
permanently block half the world...
Have a look at the sticky about ssh attacks in security
Thanks a lot. I run 'top|grep ssh' and don't see ssh. Possible cause (besides my own ignorance)?
That's odd, considering that messages quite clearly states
that sshd is running?
Quote:
Originally Posted by ENRIQUESTEFANINI
Tinkster, I'll make a full revision of my distro and see if
those programs are there. Thanks very much.
Most welcome.
Quote:
Originally Posted by ENRIQUESTEFANINI
P.S.: by the way: is the practice of addressing members individually wise?
I'm not sure I follow? If you mean contacting individuals
via e-Mail, off the board, I can only speak for myself and
say that I ignore these requests (not entirely, I will only
respond that I don't have the time to take care of those
requests on top of my time spent with work, day to day chores
and the copious amounts of time I spend on LQ anyway) - others
may feel the same (or completely differently).
If you mean something else, please elaborate, or rephrase
your question to clarify.
Tinkster: Roger. About the addressing thing, I mean using the member's LQ name (not his real name) in the thread's post.
Take the message you are reading now as an example. If I were to put 'i92guboj' into it and i92guboj were a LQ member, would this be well seen. Namely, does it violate any regulation or increases the probabilities of the post being rejected by a moderator? I at first said to myself: If the thread is too long, then the style of addressing individualy, in the sense above indicated, would end making
me mad, and introducing confusion into the other members.
But then, I reconsidered, and saw linuxquestions as a chatting site very much like a room where people chats. In the last case, it makes sense to address individually somebody, just as people in a room do. That's all and I hope not having been too long. Thanks.
I run 'top|grep ssh' and don't see ssh. Possible cause (besides my own ignorance)?
I think "top" isn't the perfect tool for the task. It can show the [em]top[/em] CPU or memory consumers. When I try your command, top runs indefinitely, until I kill it, and gives no output.
Use, instead,
Code:
ps -C sshd
or, if you like it fancier,
Code:
ps f -fC sshd
(The "f"s are for "forest" and "full", respectively).
Quote:
P.S.: by the way: is the practice of addressing members individually wise?
You're welcome to address me as "Quigi" any time. No, it's not my "given" name, but my pals have been calling me that since gave me the name in elementary school. Unauthoritatively, I think it's appropriate to call people on LQ by whatever moniker they chose for themselves.
How many of the users are authorized to use ssh? If only a few, then you can use "AllowUsers" in /etc/ssh/sshd_config to restrict access to only these users. This is much easier than adding system users to UsersDeny. System users are known and often targets of brute force attacks.
Changing the port that ssh uses will remove many of the script kiddie attacks. Only allowing protocol 2 and using Public Key authentication, and not allowing root logins as well as AllowUsers may discourage more skilled attackers as well.
Sorry for the delay. I inserted the line 'allowusers root' in file sshd_config. Rest of file is entirely commented. But
sshd doesn't seem to be reading sshd_config because i rebooted as a regular user and the system didn't object.
Any hint will be gladly received.
Sorry, there's two problems:
#1: permitting root logins via ssh is one of the most basic mistakes one can make,
and considered a MAJOR security flaw. Permit one or two known good user accounts
with very secure passwords.
#2: The key-/value-pair is case sensitive. allowusers != AllowUsers
Two things:
#1: I only did it as a test, to see what happened. Later I proved with a regular user's username and again it did not work.
#2: only the value member of the pair is case sensitive, at least in my manual. Anyways, in /etc/ssh/sshd_config I entered, verbatim,
AllowUsers xxxxxx.
Errata: I said every entry in this file is commented out.
Correction: There's an entry with keyword 'Subsystem'
which is uncommented (as it was in the distro).
I admit a lot of man pages yet to read. As you have been so kind as to answer my post, I must say I only would like to know this:
Having three users in the system, root, regular_user_1, regular_user_2, and entry
AllowUsers regular_user_1
in /etc/ssh/sshd_config, why am I able to log in as regular_user_2? I'll also give a look to LQ-Security forum, a sticky thread with references to that matter. Regards.
After modifying sshd_config I rebooted. So, sshd restarted.
I intend to stick to the policy of my distribution, Slackware 12.0 which, out of the box, makes sshd run. But I could temporarily disable it, if someone helps me. Thanks.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.