[Linux] what could be killing my linux router?

Terry Richards linux@flux.org
Thu, 07 Jun 2007 09:15:06 -0400 

Phil Smith wrote:

>The most important file to examine is
>/var/log/auth.log.  It is usually there that the
>"break in" records of the supposedly invulnerable
>ancient Linux machine that is beginning to act like a
>Windows ME machine are stored.
>  
>

i don't have /var/log/auth.log
i did run the "last" command and i don't see any funny logins but then . 
. .?

>1) Disable root SSH, block internet access to telnet,
>ftp, and all the (many) other UNIX services designed
>when security was not a consideration.
>  
>

done:
telnet 65.12.208.185 22
Trying 65.12.208.185...
Connected to adsl-065-012-208-185.sip.bct.bellsouth.net.
Escape character is '^]'.
SSH-2.0-OpenSSH_4.5

Protocol mismatch.
Connection closed by foreign host.

>2) create a strange (non-root) userid with an even
>stranger password.  Once they break in as any normal
>user, a root password cracker program looping to get
>the root password is a mere formality.
>(Actually, a really slow machine might be an advantage
>here!).  Security people, who always remind us that
>"security by obscurity is no security at all", always
>want to make sure these password crackers can run at
>full speed, perhaps as job security for them.  It
>would be just __too easy__ to slow down the ability to
>try more bad root passwords based on the number of bad
>ones recently tried?
>
>3) given the need to update the kernel/SSH/Apache to
>current levels to avoid exploits, a Pentium 200
>doesn't seem up to the task since updates are very
>slow on that genre of hardware.
>  
>
>The newest kernels (2.6.16+) have lots of new iptables
>rules to repel intruders the first time they try to
>get in.
>  
>

i have distcc using two other machines, both 450Mz so other than gcc; 
most compiles are relatively easy and my webserver is not on the router 
<which is a dedicated box> and also gets the extra crunch from my distcc 
network.

>4) Select a Linux distro that makes it easy to
>maintain your boxes in a pristine "yesterdays code
>fixes" mode.  In your case, probably Gentoo's "emerge
>ssh, etc.", just not from 2002 or so.
>
>  
>

not sure i understand what is meant,

pristine "yesterdays code
fixes" mode.
 
 ???


i keep all my machines up to date week to week, usually Sundays

>5) Realize how they break in:
>
>"nc/telnet yourhost.gotdns.org 22" -->
>
>SSH-1.9.7-OpenSSH_4.1p1,
>
>now look up the vulnerabilities in that version. 
>Actually, ancient Linux is a very false sense of
>security as compared to Windows 2000, etc..
>
>Phil
>
>
>
>
>  
>
yes, SSH-2.0-OpenSSH_4.5 but,
i am not sure there has been a break-in.  not sure why the connection 
goes down at all. in fact that is what i am asking.
 how do i go about finding what is happening here?
 where do i look for the cause?
my first guess is that there has been a break-in but it could be the 
result of a recent update or misconfigureation.

how do i find out when<exact time> the connection goes off and what 
triggers the disconnection?

e-yeah,
the last one is _the_ question!

/|\