> > > >I just tried to log into my local Gentoo router/firewall system and I > > > > got this: > > > > > > > >ssh_exchange_identification: Connection closed by remote host > > > > > > > >From Google, It looks like it's a problem caused by too many ssh > > > >connections, but that system should only ever be logged into by me, > > > >and I hadn't logged in for at least 12 hours. I checked the sshd logs > > > >and they're suspiciously empty. Just a few lines per day in there. > > > >Does this seem like enough to wipe the machine over? > > > > > > > >- Grant > > > > > > I don't think it is a reason to panic. > > > > Why not? > > > > > But why do you say it can be logged into by you? > > > > I just mean that it's my system and no one else should be in there. > > > > > I'm assuming you are using only ssh key (no password); do you run port > > > knocking? (you should). > > > > I do have a password and I don't run port knocking but I'll check that out. > > I'm not sure if you would get some message like the one you report if you have > entered an incorrect passwd and you are using pam. General rules apply here, > e.g. use chkrootkit, rkhunter, lsof, etc., to see if something *obvious* is > lurking in the background. Alternatively, hook up a hub on the LAN in > promiscuous mode and listen into the traffic from/to this box. Within a > couple of days something that shouldn't be there would probably rear its > head. > > Assuming that you are the only legit user, that your passwd is reasonably > strong (random alpha-numeric chars & symbols) and long (more than 10 should > be safe enough, although the longer the better), and that you do not rotate > your logs every couple of hours, you should feel relatively comfortable. > That said, what do you see in the rotated logs? > > Besides port knocking in your future system (or this one if you are sticking > with it) consider trying out fail2ban, or doing away with passwd > authentication all together. Where I can, I only allow pubkey authentication > and disable passwd authentication and pam.
Alright, thanks Mick. - Grant -- [EMAIL PROTECTED] mailing list
