From owner-freebsd-questions@FreeBSD.ORG Fri Jul 21 18:06:21 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0901216A4DD for ; Fri, 21 Jul 2006 18:06:21 +0000 (UTC) (envelope-from freebsd.ph@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.174]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1F67D43D45 for ; Fri, 21 Jul 2006 18:06:19 +0000 (GMT) (envelope-from freebsd.ph@gmail.com) Received: by ug-out-1314.google.com with SMTP id m2so1461753uge for ; Fri, 21 Jul 2006 11:06:18 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=rKLshuXNq6wBNkcQm0eq7NJtk1IeyhldnMiebZnMnegV1KlMTHF7cnhudTEkUC7QctmNOx/t1Qe/sMBeg7D1jjcjKLaIl6w/BUhjNt/7GuyrXDrKYPDmA+9cLdQKPxjeq3KslhTcq1MmFWWKE54QnFXpek+FlHaWM7p1v5D7+Ts= Received: by 10.78.120.6 with SMTP id s6mr514889huc; Fri, 21 Jul 2006 11:06:18 -0700 (PDT) Received: by 10.78.141.18 with HTTP; Fri, 21 Jul 2006 11:06:18 -0700 (PDT) Message-ID: Date: Sat, 22 Jul 2006 02:06:18 +0800 From: "jan gestre" To: pcarter@jhu.edu In-Reply-To: MIME-Version: 1.0 References: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions@freebsd.org Subject: Re: Security Run Output E-mail X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Jul 2006 18:06:21 -0000 On 7/20/06, PATRICK CARTER wrote: > > I'm relatively ne to FreeBSD (~6 months of usage) and I have been > administering my own system for approximately the last 2 months. Recently > my system has received many ssh login attempts on standard user accounts as > someone has been attempting to break into my system. I usually read the > Security Run Output e-mails to see if the attacker(s) had made any headway, > and took necessary precautions (limiting ssh logins etc). However, last > week (after it seemed that the attacks had let up somewhat) I stopped > receiving the e-mails (as well as the daily run output e-mails). I still > read the auth.log file to see login information and it did not appear as > though anyone had successfully managed to break into the system. Today the > both sets of e-mails started again and I received the e-mails for today and > yesterday (I am still missing 5 days worth and one weekly run output). I > was wondering if anyone might know how to ensure that I continue to receive > these e-mails without interrupti > on. > > If it matters (and I suspect it does) I have all my root e-mails aliased > to a locked, nologin dummy account that forwards e-mail to my account, my > boss' account, and retains a copy in the dummy account (.forward was not > working to forward root's mail). Root's mail client is set to read the > dummy account inbox as well as anything that somehow winds up in the regular > root mailbox. This setup worked fine until the e-mails stopped last week > (none of the listed accounts received the e-mail). > > Any advice would be greatly appreciated. > > those script kiddies do let up sometimes you know :D , using brute force i guess, as long as your user's passwords aren't dictionary words then you have nothing to worry. and also set the Allowusers directive allowing only admins. HTH