From owner-freebsd-questions@FreeBSD.ORG Sat Apr 14 11:36:12 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DA79F16A401 for ; Sat, 14 Apr 2007 11:36:12 +0000 (UTC) (envelope-from gabor@FreeBSD.org) Received: from server.t-hosting.hu (server.t-hosting.hu [217.20.133.7]) by mx1.freebsd.org (Postfix) with ESMTP id 9BA4D13C469 for ; Sat, 14 Apr 2007 11:36:12 +0000 (UTC) (envelope-from gabor@FreeBSD.org) Received: from localhost (localhost [127.0.0.1]) by server.t-hosting.hu (Postfix) with ESMTP id 3AECD9F2DF7; Sat, 14 Apr 2007 13:36:11 +0200 (CEST) X-Virus-Scanned: amavisd-new at t-hosting.hu Received: from server.t-hosting.hu ([127.0.0.1]) by localhost (server.t-hosting.hu [127.0.0.1]) (amavisd-new, port 10024) with LMTP id Aj1K1c4ZCbSr; Sat, 14 Apr 2007 13:36:03 +0200 (CEST) Received: from [192.168.2.186] (catv-5063f539.catv.broadband.hu [80.99.245.57]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by server.t-hosting.hu (Postfix) with ESMTP id 022129F2DF6; Sat, 14 Apr 2007 13:36:02 +0200 (CEST) Message-ID: <4620BC95.3070107@FreeBSD.org> Date: Sat, 14 Apr 2007 13:35:49 +0200 From: Gabor Kovesdan User-Agent: Thunderbird 1.5.0.10 (Windows/20070221) MIME-Version: 1.0 To: Jim Stapleton References: <80f4f2b20704140425w2631ee3co5547b772f6c972e8@mail.gmail.com> In-Reply-To: <80f4f2b20704140425w2631ee3co5547b772f6c972e8@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: Given this evidence, should I be worried that I may have been hacked X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Apr 2007 11:36:12 -0000 Jim Stapleton schrieb: > Once I opened up SSH to the outside world, my machine has been > hammered once or twice a day most days, with username failures. None > of the usernames would fit a username on my system (except root), and > I have ssh set to deny root logins, and only use SSH2. Additionally, I > have the following in my login.access (only active entry, the name > have been changed on this, but the three names would appear as 3 and > four character random alphabetical strings): > -:ALL EXCEPT wrbc crr aqp:ALL EXCEPT local > > As of the 9th, I've only seen one set of blatant/brute-force attempt > at my ssh server. It's interesting, but the major drop in attempts has > me more worried than the attempts (could this drop off be because they > no longer need to hack me? Could they have hacked me an that be the > reason why?) > > How worried should I be, and what's the best recourse for this? > On a system I administer I put SSH to a non-standard port (in this case 1234) and the brute force attempts has gone away since then. I suggest you trying that. Besides, you can change to RSA/DSA auth, which is more secure. Regards, Gabor