Hi there, One of my servers has recently been attacked, it has one remote SSH user which cannot run 'sudo', i made it like that so that if it was comprimized, no-one would be able to do much.
However, someone managed to gain the password to that account on the server then used "vi /etc/passwd" to gain a list of users, then launched a bruteforce using su against my admin account. (that's what I can gather from the logs) This did not get very far before I saw and kicked the user off and changed all of the passwords, but I would like to know how to prevent this sort of thing happening again. I need to know mainly how to stop the SSH user running su in the first place and how to stop the user seeing files like /etc/passwd Anyone have any suggestions?
-- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/