Questions concerning Security Log

Paul Howarth paul at city-fan.org
Fri Apr 8 07:33:00 UTC 2005


On Thu, 2005-04-07 at 22:57 +0300, Dotan Cohen wrote:

Please don't send replies to me *and* the list; I read the list and
don't need two copies of replies.

> On Apr 7, 2005 12:08 PM, Paul Howarth <paul at city-fan.org> wrote:
> > Dotan Cohen wrote:
> > > Thanks. I tryed to edit /etc/ssh/sshd_config and found that it is
> > > either empty or does not exist. In emacs i just get a blank screen. So
> > > maybe I don't even have ssh on this computer? I did a FC3 desktop
> > > installation.
> > 
> > Do you have openssh-server installed?
> > 
> > $ rpm -qa 'openssh*'
> > 
> > It sounds a bit strange that you should have sshd alert messages in your
> > logs if you're not running an ssh server.
> > 
> > See also what's listening on your ssh port:
> > # netstat -nalp | grep :22
> > 
> > >>3. Consider turning off password authentication altogether and using
> > >>certificates instead.
> > >
> > > I will look into this. As far as I can see, I would need to purchase a
> > > certificate?
> > 
> > No, you generate them yourself.
> > 
> > There's an introduction at:
> > http://www.everything2.com/index.pl?node=OpenSSH
> > 
> > Paul.
> > 
> 
> > Do you have openssh-server installed?
> > $ rpm -qa 'openssh*'
> 
> I got nothing in return. After some time thinking, the prompt returned.
> 
> 
> > It sounds a bit strange that you should have sshd alert messages in your
> > logs if you're not running an ssh server.
> > See also what's listening on your ssh port:
> > # netstat -nalp | grep :22
> 
> I got this:
> tcp        0      0 :::22                       :::*                  
>      LISTEN      4428/sshd
> 
> I pasted it as it is into google and got no results, but I did not go
> digging any deeper. I figure it would be best to ask here what this
> means.

You have an ssh server listening but it does not appear to be the Fedora
openssh server, since the RPM is not installed. Normally I would expect
someone running a non-standard server to know about it...

What's in your /etc/rc.d/init.d directory? Anything relating to sshd or
sshd? If you'd got an initscript there, try figuring out which package
(if any) it came from:

$ cd /etc/rc.d/init.d
$ rpm -qf *ssh*

> Just a little question. For the rpm you used $ as the prompt sign, but
> for the netstat you used #. Any difference between them, in your
> usage?

As Jeff answered earlier, this is how I (and many other people)
distinguish commands that can or should be run as a regular user, and
those that should be run as root. Running netstat as root provides extra
information compared with running it as a regular user.

Paul.
-- 
Paul Howarth <paul at city-fan.org>




More information about the users mailing list