Topic: Can not login in as root or admin after about a week

[oldtony]

i have done this 4 times now.
After setting up a SME server, after about a week, i can not log in as root anymore. we log in as root & run a old data base called filepro.
This has happend on 6.0 & 7.rc2 on two different computer & 4 different hard drives. The hard drive are not producing errors. We have used both SCSI & SATA hard drive. The failures only happen at night. The unit is protected by a battery backup unit.
The computer is at a remote site & the loging in is done using ssh. There is a Mutlitech Route Finder in front of the SME server. The SME server is running as a server only. We log in through the Multitech Route Finder VPN on to the SME server as root.
Any suggestions would be appreciated.
thanks
old tony Freehauf

[cactus]

Did you try to reset the root/admin password, and review your log files?

Maybe the log files can provide with some more information.

[oldtony]

thanks for the help
old tony

[oldtony]

in the secure file i am seeing the below message repeated over & over
could this be the problem?
old tony
=================================
May 20 11:49:07 indy1 last message repeated 2 times
May 20 11:49:07 indy1 proftpd[9878]: indy1.indy1.com (140.115.237.13[140.115.237.13]) - Maximum login attempts (3) exceeded
May 20 11:49:07 indy1 proftpd[9879]: indy1.indy1.com (140.115.237.13[140.115.237.13]) - USER Administrator: no such user found from 140.115.237.13 [140.115.237.13] to 192.168.4.44:21
May 20 11:49:08 indy1 last message repeated 2 times

[cactus]

(140.115.237.13[140.115.237.13]) - USER Administrator: no such user found from 140.115.237.13 [140.115.237.13] to 192.168.4.44:21
May 20 11:49:08 indy1 last message repeated 2 times

Shouldn't you either use the user 'root' or 'admin' account or did you really create an account called 'Administrator'?

If you really created an account called Administrator you should try to find out why it gets deleted.

[compdoc]

I'm not sure if theres a lockout period in SME, but that log looks like someone is trying usernames and password to gain access.

Maybe you can't log in because of a lockout time?

Personally, I think youre safer using a $40 router/firewall in front of any server or network...

[cactus]

in the secure file i am seeing the below message repeated over & over
could this be the problem?
old tony
=================================
May 20 11:49:07 indy1 last message repeated 2 times
May 20 11:49:07 indy1 proftpd[9878]: indy1.indy1.com (140.115.237.13[140.115.237.13]) - Maximum login attempts (3) exceeded
May 20 11:49:07 indy1 proftpd[9879]: indy1.indy1.com (140.115.237.13[140.115.237.13]) - USER Administrator: no such user found from 140.115.237.13 [140.115.237.13] to 192.168.4.44:21
May 20 11:49:08 indy1 last message repeated 2 times

Maybe you can set ftp to private and only allow some hosts to ftp:
Are all hacks from the same (external) IP?
Do you need external FTP?
If so do you need external FTP from a small amount of known hosts/ip-numbers?

After a few whois queries it seems that the originating PC is from a ip number owned by the National Central University of Taiwan, I will not post their abuse address here. You can find it here if you just fill in the ip number from your logfile: Query the APNIC (Asian Pacific Netwotk Information Centre) Whois Database. Maybe you can contact them.

[CharlieBrady]

I'm not sure if theres a lockout period in SME, but that log looks like someone is trying usernames and password to gain access.

Which indeed happens to every system with SSH enabled and open to the Internet. If you do not choose very strong root/admin passwords, then your system will be vulnerable to breakin. Disabling password access (and using SSH keys) is a much more secure choice.

There is no lockout period, so if remote access suddenly becomes denied it's likely because someone has changed the password.

SSH doesn't become any more secure if you add a port-forwarding firewall in front. Ditto for any other publicly accessible service.

[oldtony]

is there a good example of how to use ssh keys
& how to do you diasable password access

thanks for all the help
old tony

[cactus]

is there a good example of how to use ssh keys
& how to do you diasable password access

thanks for all the help
old tony

What a simple search on this forums can do?
http://www.wellsi.com/sme/ssh/ssh.html

[compdoc]

SSH doesn't become any more secure if you add a port-forwarding firewall in front. Ditto for any other publicly accessible service.

Its just that Ive had a couple of SME version 5 servers fall over to spammers, so I like limiting the exposure of any server as much as possible now.

And routers tend to have less down time - not as many software updates or reboots as a server. If SME is used a gateway, the wan is down while its being serviced.

[CharlieBrady]

SSH doesn't become any more secure if you add a port-forwarding firewall in front. Ditto for any other publicly accessible service.

Its just that Ive had a couple of SME version 5 servers fall over to spammers, so I like limiting the exposure of any server as much as possible now.

Sure. And you do that by limiting the number of services which are exposed to the Internet. A "firewall" in front of an SME server only adds a false sense of security. If you have an insecure SSH service, or an insecure web application, then the "firewall" adds no security at all.