Watchdog2 Event?

[chaoszwerg]

hi,

i get the follwoing message from watchdog2:

[01:02:39] WARNING, found: /dev/.udevdb (directory) /etc/.java (directory)
[01:02:41] Warning: root login possible. Change for your safety the 'PermitRootLogin'
[01:02:41] Warning: SSH version 1 possible allowed!


how can i resolve these warnings, are they critical?

thx
oli

 

[eilko]

Originally posted by chaoszwerg
[01:02:41] Warning: root login possible. Change for your safety the 'PermitRootLogin'
[01:02:41] Warning: SSH version 1 possible allowed!
how can i resolve these warnings, are they critical?
[/B]

login with SSH
go to /etc/ssh/
edit sshd_config
find the line "Protocol 2" make sure it doesn't have "1" in it
find the line "PermitRootLogin no" make sure it read "no"

save the changes. BEFORE you restart SSH make sure you have a user you can login with and from which you can change to root

type: adduser NAME
type: passwd NAME

RESTART ssh (type: service sshd restart)

 

[chaoszwerg]

hi eilko,

thanks for the quick answer.

how critical is the root login ?

what kind of user i need to change to root?

 

[Cranky]

If your password is very cryptic it's unlikely to be a problem. The suggestion of blocking root access is to make it more difficult for people (or usually scripts) from guessing your login credentials and gaining root access to your server. A cryptic root password coupled with brute-force blocking is secure enough IMHO.

 

[chaoszwerg]

hi,

ok my root password is: adminpassword

is this secure enough???

no joking!

where can a find the option for brute-force blocking?

 

[ZopfWare]

Ohmigod! that's my root password too!

lol

I have been dealing with a number of brute force attempts on several of my servers and would also be interested in the "brute force checking" described in the previous post.

 

[Hultenius]

I would recommend R-fx Networks Brute Force Detection (BFD).
BFD works quite easy, searching the logs and counts failed logins.
However, it does the work...

http://www.rfxnetworks.com/bfd.php

 

[phatPhrog]

ART

I'd recommend ARTs (atomicrocketturtle.com) ASL which installs a grsec kernel, and also install ARTs mod_security and mod_dosevasive as an added and most needed layer of protection after your initial upgrade with the grsecurity kernel.

Although R-fx Networks Brute Force Detection (BFD) works, it's a bit tedious and to some hard to configure on certain servers.

peedle....- if that is really your password you're in trouble already.

 

[ZopfWare]

I downloaded BFD and installed it...but it doesn't seem to do anything... I have personally reviewed the logs and KNOW that Brute force login attempts are being made, however it looks like BFD isn't doing anything.


I dont get any errors, and I have looked at the conf file for BFD and it looks like it is set up to access the right log files, however I'm unable to determine if it is actually doing anyting...


Got any further suggestions?

 

[phatPhrog]

You'd be better served by asking the guys at

http://www.rfxnetworks.com/

Trust me, unless you have those apps setup for your server you'll have problems.

NOT that you are having problems. BFD isn't going to report brute force unless it happens, so unless you have a test app to test it, then and again, you should join the forums at rfxnetworks and ask.

 

[WebDork]

I got the following warning too:

/etc/.java

If you then go down enough dirs and eventually there are two empty files.

drwxr-xr-x 2 root root 4.0K May 9 17:42 .
drwxr-xr-x 3 root root 4.0K May 9 17:42 ..
-rw-r--r-- 1 root root 0 May 9 17:42 .system.lock
-rw-r--r-- 1 root root 0 May 9 17:42 .systemRootModFile

Is this indeed a problem ?

 

[modom]

Hi,

There was a post on wht about the .java folder with the empty files.

I was told you can leave it or remove it so I removed it on my server.

I am getting this also but may be because when CentOS 3.6 updated it goes to CentOS 3.7:

"Warning: This operating system is not fully supported! "

 

[[GC]Neo]

you know, set firewall to block ALL IP's minus Those with permission to access root.

It's useful to have multiple IP's in case you're own IP Changes.

and if the data-center is good enough to of given you a hardware firewall, then u only need to give em a call to lift the block or change ur IP access.