I will find chkrootkit and the other utilities you mentioned and check them out.
I wondered about the lastlog error also. I will research it as well.
I thought I could configure ssh to prevent root access (I never login root remotely anyway). I will also limit su to a single user.
Thanks again for the great information.
Jon
Different distributions have different security measures enabled by default. There are several other things you can do in addition to the hosts.allow/deny you've already setup. You can configure sshd to not allow root login from ssh. You can also setup your system to only allow a certain user (or users) to use su, which helps 'limit liability' if a users account is compromised. And why is /var/log/lastlog missing on your system? does wtmp still exist? I'd be sure to run the most recent version of chkrootkit on your system, and the small myriad of other rootkit checkers that are out there (to lazy to google it myself at the moment ;-) )
On Thu, 21 Oct 2004 08:14:06 -0400 (EDT), Jon Moss jon.moss@cnonline.net wrote:
My secure log (below) seems to indicate that someone is trying to hack into one of my Linux servers.
I only have my Linux workstation's SSH port forwarded through my hardware firewall router. The other server (the church one) does not have anything except the HTTP port (and a non-standard one at that) forwarded.
I will probably change my root password. I only have five user accounts on the Linux workstation (non of which are root equivalents).
What else should I do? Can I change the configuration of SSH to prevent repeated attempts from the same IP address?
This message was scanned by GatewayDefender 11:48:19 AM ET - 10/21/2004