From owner-freebsd-questions Wed Feb 27 5:52:40 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mail.the-i-pa.com (mail.the-i-pa.com [151.201.71.132]) by hub.freebsd.org (Postfix) with SMTP id 7396437B428 for ; Wed, 27 Feb 2002 05:52:21 -0800 (PST) Received: (qmail 63963 invoked from network); 27 Feb 2002 13:59:35 -0000 Received: from unknown (HELO proxy.pt.com) (151.201.71.209) by mail.the-i-pa.com with SMTP; 27 Feb 2002 13:59:35 -0000 Content-Type: text/plain; charset="iso-8859-1" From: Bill Moran Organization: Potential Technology To: Jim Freeze , questions@freebsd.org Subject: Re: Is this a breakin (attempt)? Date: Wed, 27 Feb 2002 08:50:58 -0500 X-Mailer: KMail [version 1.2] References: <20020227081821.A12905@freeze.org> In-Reply-To: <20020227081821.A12905@freeze.org> MIME-Version: 1.0 Message-Id: <02022708505801.00825@proxy.pt.com> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wednesday 27 February 2002 08:18, Jim Freeze wrote: > Hi: > > I have received the the following report the last two days > from the daily security emails and I am not sure how serious > this is. The log says that it has accepted the following ssh > TCP packets, but does this necessarily mean that they succesfully > logged in to my machine? I do not recognize any of the addresses > and I only have a few accounts on this machine. Also, doing a last > on the machine only shows the known users logging in. Is there an > ssh activity log that I can check? > > > ipfw: 2300 Accept TCP 212.185.220.151:64965 63.106.140.202:21 in via sis0 > > ipfw: 2900 Accept TCP 63.217.26.40:22 63.106.140.204:22 in via sis0 > > ipfw: 2300 Accept TCP 64.228.85.123:1075 63.106.140.202:21 in via sis0 > > ipfw: 2600 Accept TCP 62.226.84.105:2320 63.106.140.205:21 in via sis0 > > ipfw: 2900 Accept TCP 63.204.77.126:4671 63.106.140.204:22 in via sis0 Do you have a rule that logs connections in you ipfw rules? Rule 2300, 2600, and 2900 maybe? It looks like someone is definately sending connection requests, however, you need to look at your ipfw ruleset to see exactly what kind of activity is triggering those log entries. On another angle, I get this kind of thing all the time. In December, I had Samba running unprotected on this machine for about a month (due to carelessness on my part). Over that week, I had 5 attempts to connect to Samba by misc. hosts on the internet. This machine connects via DIAL-UP and it's still that dangerous! So, my opinion is, you should be very concerned. But not because you saw those log entries. You should be concerned because you're connected to the interned. In your case, however, I doubt that you're in much danger. You're smart enough to be running ssh instead of telnet, and you take the time to check your log output and research anything suspicious. From the other checks you did, I doubt that anyone got in. Make sure you've got good passwords on any accounts that are allowed ssh, and keep an eye on things like you have been. -- Bill Moran Potential Technology technical services http://www.potentialtech.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message