From owner-freebsd-questions  Tue Mar  4  7:52:24 2003
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D9EA137B401
	for <freebsd-questions@freebsd.org>; Tue,  4 Mar 2003 07:52:20 -0800 (PST)
Received: from pa-plum1b-166.pit.adelphia.net (pa-plum1b-13.pit.adelphia.net [24.53.161.13])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A5C5043FBF
	for <freebsd-questions@freebsd.org>; Tue,  4 Mar 2003 07:52:19 -0800 (PST)
	(envelope-from wmoran@potentialtech.com)
Received: from potentialtech.com (working [172.16.0.95])
	by pa-plum1b-166.pit.adelphia.net (8.12.7/8.12.7) with ESMTP id h24FqGMQ000264;
	Tue, 4 Mar 2003 10:52:17 -0500 (EST)
	(envelope-from wmoran@potentialtech.com)
Message-ID: <3E64CB8D.7020104@potentialtech.com>
Date: Tue, 04 Mar 2003 10:51:41 -0500
From: Bill Moran <wmoran@potentialtech.com>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.2.1) Gecko/20030301
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: lists@3bags.com
Cc: freebsd-questions@freebsd.org
Subject: Re: hacking attempts?
References: <003201c2e261$f7290180$aeb423cf@3bagsmedia>
In-Reply-To: <003201c2e261$f7290180$aeb423cf@3bagsmedia>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Phillip Smith (mailing list) wrote:
> I found this in my logs and I'm wondering if this is a hacking attempt?

Probably.

> Should I be concerned?

Probably not, as long as you use good passwords for everything, you're
probably safe (unless you use telnet or ftp or something).

> Also, if/when I see these, I'd like to add them to a blocked list using
> /sbin/ipfw, but get the following message when trying this command:
> 
> # /sbin/ipfw add 1 deny all from 151.204.100.88:255.255.255.255 to any
> ipfw: getsockopt(IP_FW_ADD): Protocol not available

Doesn't seem like IPFW is enabled.  What does your rc.conf look like?
You should enable it in /etc/rc.conf and select a good basic ruleset.
Additionally, when you add block rules like this, you should add them
to you /etc/rc.firewall script so they get preserved across a reboot.

> freedom.domain.com login failures:
> Mar  2 11:38:33 freedom sshd[47912]: Failed none for illegal user test
> from 64.21.10.2
> port 36747 ssh2
> Mar  2 11:38:33 freedom sshd[47912]: Failed publickey for illegal user
> test from
> 64.21.10.2 port 36747 ssh2
> Mar  2 11:38:34 freedom sshd[47912]: Failed keyboard-interactive for
> illegal user test
> from 64.21.10.2 port 36747 ssh2
> Mar  2 11:38:34 freedom sshd[47912]: Failed password for illegal user
> test from
> 64.21.10.2 port 36747 ssh2
> Mar  2 11:38:34 freedom sshd[47912]: Failed password for illegal user
> test from
> 64.21.10.2 port 36747 ssh2
> Mar  2 11:38:37 freedom sshd[47913]: Failed none for illegal user oracle
> from 64.21.10.2
> port 36984 ssh2
> Mar  2 11:38:38 freedom sshd[47913]: Failed publickey for illegal user
> oracle from
> 64.21.10.2 port 36984 ssh2
> Mar  2 11:38:38 freedom sshd[47913]: Failed keyboard-interactive for
> illegal user oracle
> from 64.21.10.2 port 36984 ssh2
> Mar  2 11:38:38 freedom sshd[47913]: Failed password for illegal user
> oracle from
> 64.21.10.2 port 36984 ssh2
> Mar  2 11:38:38 freedom sshd[47913]: Failed password for illegal user
> oracle from
> 64.21.10.2 port 36984 ssh2
> Mar  2 11:38:41 freedom sshd[47914]: Failed none for illegal user guest
> from 64.21.10.2
> port 37171 ssh2
> Mar  2 11:38:41 freedom sshd[47914]: Failed publickey for illegal user
> guest from
> 64.21.10.2 port 37171 ssh2
> Mar  2 11:38:41 freedom sshd[47914]: Failed keyboard-interactive for
> illegal user guest
> from 64.21.10.2 port 37171 ssh2
> Mar  2 11:38:41 freedom sshd[47914]: Failed password for illegal user
> guest from
> 64.21.10.2 port 37171 ssh2
> Mar  2 11:38:41 freedom sshd[47914]: Failed password for illegal user
> guest from
> 64.21.10.2 port 37171 ssh2
> Mar  2 11:38:44 freedom sshd[47915]: Failed password for ROOT from
> 64.21.10.2 port 37187
> ssh2
> Mar  2 11:38:45 freedom sshd[47915]: Failed password for ROOT from
> 64.21.10.2 port 37187
> ssh2
> Mar  2 11:38:48 freedom sshd[47916]: Failed password for nobody from
> 64.21.10.2 port
> 37211 ssh2
> Mar  2 11:38:48 freedom sshd[47916]: Failed password for nobody from
> 64.21.10.2 port
> 37211 ssh2
> Mar  2 11:38:52 freedom sshd[47917]: Failed password for games from
> 64.21.10.2 port
> 37215 ssh2
> Mar  2 11:38:52 freedom sshd[47917]: Failed password for games from
> 64.21.10.2 port
> 37215 ssh2
> Mar  2 11:38:56 freedom sshd[47918]: Failed none for illegal user user
> from 64.21.10.2
> port 37217 ssh2
> Mar  2 11:38:56 freedom sshd[47918]: Failed publickey for illegal user
> user from
> 64.21.10.2 port 37217 ssh2
> Mar  2 11:38:56 freedom sshd[47918]: Failed keyboard-interactive for
> illegal user user
> from 64.21.10.2 port 37217 ssh2
> Mar  2 11:38:56 freedom sshd[47918]: Failed password for illegal user
> user from
> 64.21.10.2 port 37217 ssh2
> Mar  2 11:38:56 freedom sshd[47918]: Failed password for illegal user
> user from
> 64.21.10.2 port 37217 ssh2
> Mar  2 11:38:59 freedom sshd[47919]: Failed password for ROOT from
> 64.21.10.2 port 37218
> ssh2
> Mar  2 11:38:59 freedom sshd[47919]: Failed password for ROOT from
> 64.21.10.2 port 37218

-- 
Bill Moran
Potential Technologies
http://www.potentialtech.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message