[Madhu.A]

Hi All,

Can any one let me know the detailed steps that can be taken to secure server when it is found some one(not an user in system) is trying to login/hack into server.

I have only the below details.

UNKNOWN_ - ssh Jan 18 09:49 ?
UNKNOWN_ - ssh Jan 27 15:32 ?
UNKNOWN_ - ssh Jan 27 15:32 ?
UNKNOWN_ - ssh Jan 27 15:32 ?
UNKNOWN_ - ssh Jan 27 15:32 ?
UNKNOWN_ - ssh Jan 29 13:20 ?

Regards
Madhu

[dthacker]

Madhu,
What log are you seeing that information in?

Dave

[Madhu.A]

hi Dave,

This info was found from /etc/security/failedlogin.

Madhu

[duke900ssd]

Eg.
UNKNOWN_ - ssh Jan 18 09:49 ?

The UNKNOWN means they used an unknown user ID to try and login, typed an unknown username in.

The ? at the end means the system was not able to resolve the hostname of the system the user was trying to login from.

So your system was secure, they did not know (or use) a valid login name.

It is probably someone trying to get into the wrong box using a wrong hostname or IP address.

How do you think you could make it more secure?

[ross.mather]

Duke is right - your server has denied access to someone who didn't use a valid user id.

If you want to strengthen your password rules to make hacing more difficult then take a look at aixpert. Recent versions of AIX have this and allows you to set a number of security settings on an AIX Server.

These settings include insecure services telnet andftp for example and the password rules.

As with any change on the server they may have unintended side effects (such as if people really use ftp) so make sure you understand what it will do before you apply the settings.

[Madhu.A]

how about enabling the syslog in the server, so that it may capture more info and better then the /etc/security/failedlogin ?

[seth]

How much of these "UNKNOWN_ - ssh Jan 18 09:49 ?" entries do you have? If there are only 6 someone has got the wrong ip/name to login. If there are hundereds or thousands of them then you can call it a attack then I would tune settings like logindelay, logindisable, logininterval, loginreenable and logintimes in the etc/security/login.cfg file.
With the right settings there the attacker will stop soon an go for another target.

Cheers seth

[Madhu.A]

There are more then 90 attempts has been made!! ..
but not all in single day and still I need to work on this issue....

So any suggestions how to proceed further ?

[seth]

As I already said:

Quote:

Originally Posted by seth

... I would tune settings like logindelay, logindisable, logininterval, loginreenable and logintimes in the etc/security/login.cfg file.
...

look at the file there are the mentioned parameters explained. We wont do that for you ...

Cheers seth

[Madhu.A]

sure ... let me try that and i'll update u guys ....