I have a home media server running LAMP but with just the basic setup. This allows me to watch my videos, look at family photos, listen to music, and so on with all our computers and various media devices.
I have a Verizon FIOS floating IP so I haven't bothered to setup a VPN or a webpage yet - just the "It Works" default page when you attempt http connection from the internal network.
In theory - attacking the IP would get you my DSL Router and it's firewall, right?
Today, I checked the server's monitor (it's connected to the second input port on one of my desktop monitors, sweet right?) and saw a few error messages and a notice of required reboot (security update). So I decided to SSH over there and check the errors and reboot. When I logged in I saw:
This is not a name on my network so I went totally paranoid and I immediately rebooted (maybe not the best idea) but the reboot went normal and all seemed OK.
I went to /var/log/auth.log and saw (truncated)
That was todays log in after reboot so it's not likely a hacker, rather some service I have mis-configured?
As I typed this, it occurred to me that possibly the new-host-2 was my relatively new Roku box that plays home videos off of the server. I will test this later when I get some time.
Any comments? Is a non-standard ssh port enough security in light of the fact that I'm behind a firewall?
Maybe I should create an SSH whitelist.
I have a Verizon FIOS floating IP so I haven't bothered to setup a VPN or a webpage yet - just the "It Works" default page when you attempt http connection from the internal network.
In theory - attacking the IP would get you my DSL Router and it's firewall, right?
Today, I checked the server's monitor (it's connected to the second input port on one of my desktop monitors, sweet right?) and saw a few error messages and a notice of required reboot (security update). So I decided to SSH over there and check the errors and reboot. When I logged in I saw:
stuart@office:~$ ssh -p XXXXX daddy@server
daddy@server's password:
Linux server 2.6.38-7-server #37~lucid1-Ubuntu SMP Mon Mar 21 18:38:53 UTC 2011 x86_64 GNU/Linux
Ubuntu 10.04.2 LTS
~~~~~~~
*** System restart required ***
Last login: Sat Mar 26 20:30:21 2011 from new-host-2.home
daddy@server:~$ users
daddy@server's password:
Linux server 2.6.38-7-server #37~lucid1-Ubuntu SMP Mon Mar 21 18:38:53 UTC 2011 x86_64 GNU/Linux
Ubuntu 10.04.2 LTS
~~~~~~~
*** System restart required ***
Last login: Sat Mar 26 20:30:21 2011 from new-host-2.home
daddy@server:~$ users
I went to /var/log/auth.log and saw (truncated)
Code:
Mar 30 15:50:47 server sshd[19361]: pam_unix(sshd:session): session opened for user daddy by (uid=0) Mar 30 15:51:31 server sudo: pam_unix(sudo:auth): authentication failure; logname=daddy uid=0 euid=0 tty=/dev/pts/0 ruser= rhost= user=daddy Mar 30 15:51:35 server sudo: daddy : TTY=pts/0 ; PWD=/home/daddy ; USER=root ; COMMAND=/sbin/reboot Mar 30 15:52:23 server sshd[525]: Server listening on 0.0.0.0 port XXXXX. Mar 30 15:52:23 server sshd[525]: Server listening on :: port XXXXX. Mar 30 15:52:38 server perl: pam_unix(webmin:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=root Mar 30 15:52:38 server perl: pam_winbind(webmin:auth): getting password (0x00000388) Mar 30 15:52:38 server perl: pam_winbind(webmin:auth): pam_get_item returned a password Mar 30 15:52:38 server perl: pam_winbind(webmin:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user Mar 30 15:52:40 server webmin[1484]: Webmin starting Mar 30 15:52:51 server sshd[1490]: Accepted password for daddy from 192.168.1.199 port XXXXX ssh2 Mar 30 15:52:51 server sshd[1490]: pam_unix(sshd:session): session opened for user daddy by (uid=0)
As I typed this, it occurred to me that possibly the new-host-2 was my relatively new Roku box that plays home videos off of the server. I will test this later when I get some time.
Any comments? Is a non-standard ssh port enough security in light of the fact that I'm behind a firewall?
Maybe I should create an SSH whitelist.
) is that I'm just not paranoid enough to worry that much about it. The built-in firewall and linux's native security has really been enough to quell my fears. There are two computers that are on all the time on my network. The server and my desktop. The server contains videos, family photos and music. My desktop has the usual desktop stuff on it. All this is backed up, but only to these two computers. I really should have an off-line backup.
).
Comment