From owner-freebsd-questions@FreeBSD.ORG Fri Aug 6 20:00:30 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DBFEE16A4CF for ; Fri, 6 Aug 2004 20:00:30 +0000 (GMT) Received: from conn.mc.mpls.visi.com (conn.mc.mpls.visi.com [208.42.156.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7C49543D39 for ; Fri, 6 Aug 2004 20:00:29 +0000 (GMT) (envelope-from drue@therub.org) Received: from egypt.therub.org (drue.dsl.visi.com [209.98.146.43]) by conn.mc.mpls.visi.com (Postfix) with ESMTP id 1B0CA8343; Fri, 6 Aug 2004 15:00:27 -0500 (CDT) Received: by egypt.therub.org (Postfix, from userid 1001) id 840F7BBF5; Fri, 6 Aug 2004 15:02:43 -0500 (CDT) Date: Fri, 6 Aug 2004 15:02:43 -0500 From: Dan Rue To: "James A. Coulter" Message-ID: <20040806200243.GA25584@therub.org> References: <20040806132601.GA3043@sara.mshome.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040806132601.GA3043@sara.mshome.net> User-Agent: Mutt/1.4.2.1i cc: freebsd-questions@freebsd.org Subject: Re: Newbie Security Question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Aug 2004 20:00:31 -0000 On Fri, Aug 06, 2004 at 08:26:01AM -0500, James A. Coulter wrote: > I recently got my firewall up and configured (many thanks to JJB and everyone else for their help) and have been reading the daily security message from root with a great deal of interest. > > My question is, when I see entries like this: > > Aug 5 17:55:54 sara sshd[2099]: Failed password for root from 209.120.224.13 > +port 40515 ssh2 > Aug 5 17:55:55 sara sshd[2101]: Failed password for root from 209.120.224.13 > +port 60426 ssh2 > Aug 5 17:55:55 sara sshd[2103]: Failed password for root from 209.120.224.13 > +port 54447 ssh2 > Aug 5 17:55:59 sara sshd[2105]: Failed password for root from 209.120.224.13 > +port 44460 ssh2 > > is it safe to assume someone has been trying to hack my system? > > Jim C. Hi Jim, Yeah, I get these all the time. I've always chalked it up to random script kiddies. Sometimes i get people trying to log in as generic usernames like admin, guest, etc. Make sure that PermitRootLogin is either set to no or commented out in /etc/ssh/sshd_config, and of course make sure you are using a good root password. Now, if you really want to work yourself up, start browsing your httpd-access logs :) -dan