| 1 |
> > > >I just tried to log into my local Gentoo router/firewall system and I |
| 2 |
> > > > got this: |
| 3 |
> > > > |
| 4 |
> > > >ssh_exchange_identification: Connection closed by remote host |
| 5 |
> > > > |
| 6 |
> > > >From Google, It looks like it's a problem caused by too many ssh |
| 7 |
> > > >connections, but that system should only ever be logged into by me, |
| 8 |
> > > >and I hadn't logged in for at least 12 hours. I checked the sshd logs |
| 9 |
> > > >and they're suspiciously empty. Just a few lines per day in there. |
| 10 |
> > > >Does this seem like enough to wipe the machine over? |
| 11 |
> > > > |
| 12 |
> > > >- Grant |
| 13 |
> > > |
| 14 |
> > > I don't think it is a reason to panic. |
| 15 |
> > |
| 16 |
> > Why not? |
| 17 |
> > |
| 18 |
> > > But why do you say it can be logged into by you? |
| 19 |
> > |
| 20 |
> > I just mean that it's my system and no one else should be in there. |
| 21 |
> > |
| 22 |
> > > I'm assuming you are using only ssh key (no password); do you run port |
| 23 |
> > > knocking? (you should). |
| 24 |
> > |
| 25 |
> > I do have a password and I don't run port knocking but I'll check that out. |
| 26 |
> |
| 27 |
> I'm not sure if you would get some message like the one you report if you have |
| 28 |
> entered an incorrect passwd and you are using pam. General rules apply here, |
| 29 |
> e.g. use chkrootkit, rkhunter, lsof, etc., to see if something *obvious* is |
| 30 |
> lurking in the background. Alternatively, hook up a hub on the LAN in |
| 31 |
> promiscuous mode and listen into the traffic from/to this box. Within a |
| 32 |
> couple of days something that shouldn't be there would probably rear its |
| 33 |
> head. |
| 34 |
> |
| 35 |
> Assuming that you are the only legit user, that your passwd is reasonably |
| 36 |
> strong (random alpha-numeric chars & symbols) and long (more than 10 should |
| 37 |
> be safe enough, although the longer the better), and that you do not rotate |
| 38 |
> your logs every couple of hours, you should feel relatively comfortable. |
| 39 |
> That said, what do you see in the rotated logs? |
| 40 |
> |
| 41 |
> Besides port knocking in your future system (or this one if you are sticking |
| 42 |
> with it) consider trying out fail2ban, or doing away with passwd |
| 43 |
> authentication all together. Where I can, I only allow pubkey authentication |
| 44 |
> and disable passwd authentication and pam. |
| 45 |
|
| 46 |
Alright, thanks Mick. |
| 47 |
|
| 48 |
- Grant |
| 49 |
-- |
| 50 |
gentoo-user@g.o mailing list |
Archives