Here are some aspects of security to take into consideration in a Linux distribution such as Ubuntu (10.04).
SSH
Make sure SSH, in case it starts (more on that below), does not use passwords for login. Edit /etc/ssh/sshd_config and make sure you have these lines (and uncommented):
PermitRootLogin no
PermitEmptyPasswords no
PasswordAuthentication no
There may be a lot of text in between of course, this is just an excerpt. There may also be more options you may want to change to be on the safe side, consult the relevant documentation. These tend to be may the main concerns though, and should make the entries in /var/log/auth.log less concerning to some extent.
Note that you may need to do a
sudo kill -HUP <SSHD PID>
to make sure any changes are reflected.
If you want to disable SSH completely, to make sure it doesn't spawn in the first place, on boot or otherwise, try (in Ubuntu 10.04):
sudo touch /etc/ssh/sshd_not_to_be_run
then
pgrep -l sshd
to see what you need to kill (-9).
This may or may not be enough in all circumstances. Check this Ubuntu Forums post for more info on 10.04.
Various security measures
To check listening (Internet) sockets, I've set up aliases for each of these three:
# List only listening TCP and RAW sockets, not including those using loopback:
sudo netstat -Wplntw | grep -v " ::1:" | grep -v " 127\.0\.0\.1:" | sort -nk 7 | sort -snk 6
# List listening TCP, UDP and RAW sockets, not including those using loopback:
sudo netstat -Wplntuw | grep -v " ::1:" | grep -v " 127\.0\.0\.1:" | sort -nk 7 | sort -snk 6
# List listening TCP, UDP and RAW sockets:
sudo netstat -Wplntuw | sort -nk 7 | sort -snk 6
The sorting is a little overkill maybe, but ensures that the header is displayed first, and the sorting priority is always the process ID.
The -Wpln part gives you: (redacted from NETSTAT(8))
- -W : Do not truncate IP addresses
- -p : Show the PID and name of the program to which each socket belongs.
- -l : Show only listening sockets.
- -n : Show numerical addresses
