Find the answer to your Linux question:
Results 1 to 9 of 9
Hi, i'm using slackware 10 and i was wondering if there is a way to disable remote access, i use it as a personal OS and there's really no need ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux User Krendoshazin's Avatar
    Join Date
    Feb 2005
    Location
    London, England
    Posts
    471

    Access attempts


    Hi, i'm using slackware 10 and i was wondering if there is a way to disable remote access, i use it as a personal OS and there's really no need for it in my case. the reason i wish to disable it is because of the series of access attempts that have been made on this machine, luckily all have failed so far, here is a small sample.

    Code:
    Jan 31 11:40:43 excaliber sshd[2375]: Failed password for illegal user web from 200.27.232.100 port 53241 ssh2
    Jan 31 11:40:45 excaliber sshd[2377]: Illegal user oracle from 200.27.232.100
    Jan 31 11:40:45 excaliber sshd[2377]: Failed password for illegal user oracle from 200.27.232.100 port 53347 ssh2
    Jan 31 11:40:47 excaliber sshd[2379]: Illegal user sybase from 200.27.232.100
    Jan 31 11:40:47 excaliber sshd[2379]: Failed password for illegal user sybase from 200.27.232.100 port 53608 ssh2
    Jan 31 11:40:49 excaliber sshd[2381]: Illegal user master from 200.27.232.100
    Jan 31 11:40:49 excaliber sshd[2381]: Failed password for illegal user master from 200.27.232.100 port 53745 ssh2
    Jan 31 11:40:51 excaliber sshd[2383]: Illegal user account from 200.27.232.100
    Jan 31 11:40:51 excaliber sshd[2383]: Failed password for illegal user account from 200.27.232.100 port 53910 ssh2
    Jan 31 11:40:53 excaliber sshd[2385]: Illegal user backup from 200.27.232.100
    Jan 31 11:40:53 excaliber sshd[2385]: Failed password for illegal user backup from 200.27.232.100 port 54186 ssh2
    Jan 31 11:40:54 excaliber sshd[2387]: Illegal user server from 200.27.232.100
    Jan 31 11:40:54 excaliber sshd[2387]: Failed password for illegal user server from 200.27.232.100 port 54301 ssh2
    Jan 31 11:40:56 excaliber sshd[2389]: Illegal user adam from 200.27.232.100
    Jan 31 11:40:56 excaliber sshd[2389]: Failed password for illegal user adam from 200.27.232.100 port 54568 ssh2
    Jan 31 11:40:58 excaliber sshd[2391]: Illegal user alan from 200.27.232.100
    Jan 31 11:40:58 excaliber sshd[2391]: Failed password for illegal user alan from 200.27.232.100 port 54707 ssh2
    Jan 31 11:41:00 excaliber sshd[2393]: Illegal user frank from 200.27.232.100
    Jan 31 11:41:02 excaliber sshd[2395]: Illegal user george from 200.27.232.100
    Jan 31 11:41:02 excaliber sshd[2395]: Failed password for illegal user george from 200.27.232.100 port 55131 ssh2
    Jan 31 11:41:04 excaliber sshd[2397]: Illegal user henry from 200.27.232.100
    Jan 31 11:41:04 excaliber sshd[2397]: Failed password for illegal user henry from 200.27.232.100 port 55192 ssh2
    Jan 31 11:41:11 excaliber sshd[2401]: Illegal user john from 200.27.232.100
    Jan 31 11:41:11 excaliber sshd[2401]: Failed password for illegal user john from 200.27.232.100 port 55812 ssh2
    Jan 31 11:41:13 excaliber sshd[2405]: Failed password for root from 200.27.232.100 port 56088 ssh2
    Jan 31 11:41:15 excaliber sshd[2407]: Failed password for root from 200.27.232.100 port 56194 ssh2
    Jan 31 11:41:17 excaliber sshd[2409]: Failed password for root from 200.27.232.100 port 56487 ssh2
    Jan 31 11:41:18 excaliber sshd[2411]: Failed password for root from 200.27.232.100 port 56614 ssh2
    Jan 31 11:41:20 excaliber sshd[2413]: Failed password for root from 200.27.232.100 port 56783 ssh2
    Jan 31 11:41:22 excaliber sshd[2415]: Illegal user test from 200.27.232.100
    Jan 31 11:41:22 excaliber sshd[2415]: Failed password for illegal user test from 200.27.232.100 port 57042 ssh2
    any help on this matter would be greatly appreciated.

  2. #2
    Just Joined!
    Join Date
    Nov 2004
    Location
    Vienna, Austria
    Posts
    10

    access attempts

    Hi!

    I saw - nobody answered so far to your request, and so I wanna tell ya what I would do ...

    It's an interesting thing to find out what ports are open, isn't it?
    First of all, the portmapper must run

    code (as user root):
    cd /etc/rc.d
    chmod 755 ./rc.portmap
    ./rc.portmap start

    nmap localhost

    now you will see, what ports are open!

    e.g. if ssh port is open, just stop rc.sshd-daemon, and then chmod rc.sshd to 644 (so it will not be started during next reboot! Same you can do with other daemons that are opening doors -

    of course you will stop rc.portmap again and change its modes!

    Last tip by now ...

    edit your startx (best with vi)

    which startx
    vi /usr/X11R6/bin/startx

    and there you will find

    serverargs=""

    and here you enter

    serverargs="-nolisten tcp"


    hope that helps you further!

    greetings from vienna

  3. #3
    Just Joined!
    Join Date
    Jan 2005
    Posts
    68
    Hi, this is off-topic, sorry.

    But....

    You have me a little paranoid here.

    Which log did you look at and how to check for such activity??

    Thanks much

  4. #4
    Just Joined!
    Join Date
    Nov 2004
    Location
    Vienna, Austria
    Posts
    10
    >[quote="Jammin1984"]Hi, this is >off-topic, sorry.

    hmmm ... well, I would check first my doors ...

    >But....

    >You have me a little paranoid here.
    There is no need for that! Your are not working on a MS Windows Box, are you?

    >Which log did you look at and how to >check for such activity??

    The same like you -
    e.g.
    Code:
    dmesg
    But you also may check the messages ...

    so, read again above what I said before just to check your "doors" - are you behind a firewall (from your ISP, company ...)

  5. #5
    Just Joined!
    Join Date
    Jan 2005
    Posts
    68
    Im behind my unis firewall, which is silly locked down....

    Would still be easy enough for someone on my LAN tho.

    Thanks

  6. #6
    Linux Guru sdousley's Avatar
    Join Date
    Feb 2004
    Posts
    1,790
    It looks like people are trying to get into your computer over ssh. notice the sshd[number] after excaliber.

    If you want to stop the ssh daemon straight away run

    Code:
    rc.sshd stop
    but then when you restart your computer it will be running again, so to stop that, look in /etc/init.d/rc3.d

    there's probably a file that symlinks to ../sshd (there is on my computer)

    to find out what links to ../sshd open a shell in /etc/init.d/rc3.d and type:

    Code:
    ls -l *ssh*
    to see that it's a symlink it will look like this:

    lrwxrwxrwx 1 root root 7 Jun 28 2004 S12sshd -> ../sshd
    it's a file called S12sshd pointing to ../sshd

    if you dont want sshd to start at boot, just remove the files that point to ../sshd and it should be ok, then you shouldn't get any more logs for failed auth.
    "I am not an alcoholic, alcoholics go to meetings"
    Registered Linux user = #372327

  7. #7
    Just Joined!
    Join Date
    Jan 2005
    Posts
    68
    This is kind of over my head but since I am always asking for help, gotta try and return the favour.

    Since your running slackware could you not run pkgtool, go to setup then services and disable it this way??

  8. #8
    Linux User Krendoshazin's Avatar
    Join Date
    Feb 2005
    Location
    London, England
    Posts
    471
    strange, this issue was solved a long time ago as you can see from the date. not to worry though.

    Quote Originally Posted by Jammin1984
    Hi, this is off-topic, sorry.
    You have me a little paranoid here.
    Which log did you look at and how to check for such activity??
    Thanks much
    the logs that told me of the activity were in /var/log/ and is called messages. the problem was solved by stopping the ssh service, also stopping some other things not needed like sendmail, installing firestarter firewall in order to stealth all the ports and control the traffic, and also making sure that X doesn't act as a server and listen to the tcp port 6000 you have to type startx -- -nolisten tcp, rather than the usual startx, on a graphical login this isn't an issue

    Quote Originally Posted by Jammin1984
    This is kind of over my head but since I am always asking for help, gotta try and return the favour.

    Since your running slackware could you not run pkgtool, go to setup then services and disable it this way??
    i prefer to just disable a service rather than remove it completely, in case it's ever needed for future use i won't have to go to the trouble of reinstalling it. these services can be misused but as long as you keep on top of things there's no problem, as you can see from what i posted they tried their damned hardest, but never gained access

  9. #9
    Linux User Krendoshazin's Avatar
    Join Date
    Feb 2005
    Location
    London, England
    Posts
    471

    Re: access attempts

    Quote Originally Posted by pottibaer
    /usr/X11R6/bin/startx

    and there you will find
    serverargs=""

    and here you enter
    serverargs="-nolisten tcp"
    thanks that did the trick, i was looking for a way to do that, now i won't have to use the graphical login or keeping typing out the entire command every reboot

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •