From owner-freebsd-questions@FreeBSD.ORG Sat Apr 14 11:25:47 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D34BE16A403 for ; Sat, 14 Apr 2007 11:25:47 +0000 (UTC) (envelope-from stapleton.41@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.170]) by mx1.freebsd.org (Postfix) with ESMTP id 70E7013C43E for ; Sat, 14 Apr 2007 11:25:47 +0000 (UTC) (envelope-from stapleton.41@gmail.com) Received: by ug-out-1314.google.com with SMTP id 71so626713ugh for ; Sat, 14 Apr 2007 04:25:46 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=DAespUwJoLmRylf28TjlO192ia6H0tThYP/qFtMfEImBAQ7NFmLIX56RupmBnSysQD6Sdd/UnR/bDhR5bBeXMcE6QnRaMbJ9tDGmAO0uf3YZ1tMLxt1QkM2nHd1HXqK4cUueDNZMaPQ1CEjzgqV13VvSpQZEy1wZnJzLi3GyLOE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=DVLtE/rSnvpHu+bcg43etfM1iL8t3kFZA9P744DegiwpkIEM0lbXrljg8wJ14f+o3y0pjDwEK9W5kYDfyXHXvGRmOUpS5qE62HT1ljSfZcVVkSf3ZOLPeh4Un0TgZ+oJQUMwbzeTOSQHh95772CyAKZvnHaAa/Nr2BTYlNuuzVo= Received: by 10.82.167.5 with SMTP id p5mr5367219bue.1176549946122; Sat, 14 Apr 2007 04:25:46 -0700 (PDT) Received: by 10.82.155.5 with HTTP; Sat, 14 Apr 2007 04:25:46 -0700 (PDT) Message-ID: <80f4f2b20704140425w2631ee3co5547b772f6c972e8@mail.gmail.com> Date: Sat, 14 Apr 2007 07:25:46 -0400 From: "Jim Stapleton" To: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Given this evidence, should I be worried that I may have been hacked X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Apr 2007 11:25:47 -0000 Once I opened up SSH to the outside world, my machine has been hammered once or twice a day most days, with username failures. None of the usernames would fit a username on my system (except root), and I have ssh set to deny root logins, and only use SSH2. Additionally, I have the following in my login.access (only active entry, the name have been changed on this, but the three names would appear as 3 and four character random alphabetical strings): -:ALL EXCEPT wrbc crr aqp:ALL EXCEPT local As of the 9th, I've only seen one set of blatant/brute-force attempt at my ssh server. It's interesting, but the major drop in attempts has me more worried than the attempts (could this drop off be because they no longer need to hack me? Could they have hacked me an that be the reason why?) How worried should I be, and what's the best recourse for this? Thanks, -Jim Stapleton