> > hmm... I'm just a touch confused by all this...
> > When someone logs into one of our portmasters, on the loghost one of the
> > following appears (depending on the account):
> > Jul 11 17:34:41 <portmaster name> user: host <host name of where they came
> > from> admin login succeeded
> > Jul 11 17:55:07 <portmaster> user: host <host> <userid> login failed
> > Jul 11 17:55:13 <portmaster> user: host <host> <userid> login succeeded
>
> That's for a normal login... what about when someone tries !root from a
> telnet? I haven't found a reference yet in the radius log for failed !root
Why do we all have to look stupid (myself included) and say "what if" when
we can just do it.
fubar:~$ telnet pm1
Trying 205.229.48.10...
Connected to pm1.fdt.net.
Escape character is '^]'.
ComOS - Livingston PortMaster
login: !root
Password:
Invalid Login
Jul 12 03:18:01 pm1 user: host fubar.fubar.fdt.net admin login failed
Ok...so the PM does syslog failed !root logins....good portmaster. Sit
portmaster....I'm running 3.5.
> incidentally one way to prevent this was to set up a filter for outside
> at the router.
>
> <--net filter port 23 on portmaster
> -----------||||||-router----portmaster----modems
This was mentioned just the other day. Why does the net need to reach
your PM's at all? Why should I even know you have PM's? My PM is totally
packet filtered from the net (except for a hole in the filter so one host
at livingston.com can hack me...or at least upgrade ComOS and help debug
the vanishing BRI's I used to have.) Speaking of those, I've not seen it
happen for some time. Going from the HD cable to individuals and
upgrading to 3.3.3 simultaneously fixed it. I've since changed
everthing...HellSouth decided to reterm our BRI's as demux'd T1 (using
Conklin BriteMuxes) and when they did that, I went back to using HD
cables, and still no problems.
> > and if your the real paranoid type you can log the commands that are
> > executed on the boxes also. Yep gotta love them manuals
My ciscos do this by default. I didn't know/remember the PM could do
that. Gotta look at the 3.5 rel notes again.
> Its not that I'm paranoid.. Considering how quickly I gained the
> portmaster root and my own password I, and my coworkers, need to come up
The !root passwd on the PM must have blown. Remember, the password is not
limited to 8 chars. Mix up some mixed case letters, numbers, punctuation,
etc, and you can make some pretty tough to bruteforce passwords. I could
give examples, but then I'd have to shoot you :)
------------------------------------------------------------------
Jon Lewis <jlewis@fdt.net> | Unsolicited commercial e-mail will
Network Administrator | be proof-read for $199/message.
Florida Digital Turnpike |
________Finger jlewis@inorganic5.fdt.net for PGP public key_______