1 |
> > > >I just tried to log into my local Gentoo router/firewall system and I |
2 |
> > > > got this: |
3 |
> > > > |
4 |
> > > >ssh_exchange_identification: Connection closed by remote host |
5 |
> > > > |
6 |
> > > >From Google, It looks like it's a problem caused by too many ssh |
7 |
> > > >connections, but that system should only ever be logged into by me, |
8 |
> > > >and I hadn't logged in for at least 12 hours. I checked the sshd logs |
9 |
> > > >and they're suspiciously empty. Just a few lines per day in there. |
10 |
> > > >Does this seem like enough to wipe the machine over? |
11 |
> > > > |
12 |
> > > >- Grant |
13 |
> > > |
14 |
> > > I don't think it is a reason to panic. |
15 |
> > |
16 |
> > Why not? |
17 |
> > |
18 |
> > > But why do you say it can be logged into by you? |
19 |
> > |
20 |
> > I just mean that it's my system and no one else should be in there. |
21 |
> > |
22 |
> > > I'm assuming you are using only ssh key (no password); do you run port |
23 |
> > > knocking? (you should). |
24 |
> > |
25 |
> > I do have a password and I don't run port knocking but I'll check that out. |
26 |
> |
27 |
> I'm not sure if you would get some message like the one you report if you have |
28 |
> entered an incorrect passwd and you are using pam. General rules apply here, |
29 |
> e.g. use chkrootkit, rkhunter, lsof, etc., to see if something *obvious* is |
30 |
> lurking in the background. Alternatively, hook up a hub on the LAN in |
31 |
> promiscuous mode and listen into the traffic from/to this box. Within a |
32 |
> couple of days something that shouldn't be there would probably rear its |
33 |
> head. |
34 |
> |
35 |
> Assuming that you are the only legit user, that your passwd is reasonably |
36 |
> strong (random alpha-numeric chars & symbols) and long (more than 10 should |
37 |
> be safe enough, although the longer the better), and that you do not rotate |
38 |
> your logs every couple of hours, you should feel relatively comfortable. |
39 |
> That said, what do you see in the rotated logs? |
40 |
> |
41 |
> Besides port knocking in your future system (or this one if you are sticking |
42 |
> with it) consider trying out fail2ban, or doing away with passwd |
43 |
> authentication all together. Where I can, I only allow pubkey authentication |
44 |
> and disable passwd authentication and pam. |
45 |
|
46 |
Alright, thanks Mick. |
47 |
|
48 |
- Grant |
49 |
-- |
50 |
gentoo-user@g.o mailing list |