From owner-freebsd-questions@FreeBSD.ORG Sat Apr 14 12:09:53 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A694816A402 for ; Sat, 14 Apr 2007 12:09:53 +0000 (UTC) (envelope-from stapleton.41@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.171]) by mx1.freebsd.org (Postfix) with ESMTP id 3D8B413C44C for ; Sat, 14 Apr 2007 12:09:53 +0000 (UTC) (envelope-from stapleton.41@gmail.com) Received: by ug-out-1314.google.com with SMTP id 71so630783ugh for ; Sat, 14 Apr 2007 05:09:52 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=PXmjggO6TxMcl3TRAxBSKmh65jGnlOzzG4U3gsw5jC46y8JTg+mkqIZhwhXPRoxUiG/wr2SM0HmRa0ZJIVNkE/v/0XM4t69Cj+Xgj9G8MGvWg0PXz7/IGs0PXcg18gkkeHarhCg5c0dOc6rQHJf1MallOskwLHLQRWM7aTI81lE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=D+z1soKpnUtpSyPd4R7ntmvZjzNqa3Av9NNrr5u18llHtsDp9oImWunwf5x+WR6AMeHthnowJExXXmpfDXHOM5Vvgx8EIodFqKroG8cyP45vnTV/eoOFvcU7FqDOqeIOoCpTxPEZBgAQMrohih+7B/WRRokISTpAoo/N+cwNmJQ= Received: by 10.82.104.18 with SMTP id b18mr5472599buc.1176552592065; Sat, 14 Apr 2007 05:09:52 -0700 (PDT) Received: by 10.82.155.5 with HTTP; Sat, 14 Apr 2007 05:09:52 -0700 (PDT) Message-ID: <80f4f2b20704140509w6546e0dcqd54e302fbecb5ed7@mail.gmail.com> Date: Sat, 14 Apr 2007 08:09:52 -0400 From: "Jim Stapleton" To: "Gabor Kovesdan" In-Reply-To: <4620BC95.3070107@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <80f4f2b20704140425w2631ee3co5547b772f6c972e8@mail.gmail.com> <4620BC95.3070107@FreeBSD.org> Cc: freebsd-questions@freebsd.org Subject: Re: Given this evidence, should I be worried that I may have been hacked X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Apr 2007 12:09:53 -0000 I have DSA. I will change it to a nonstandard port, but I was wondering what your oppinion on a good way to check if this is the result of me being hacked, or just someone loosing interest. On 4/14/07, Gabor Kovesdan wrote: > Jim Stapleton schrieb: > > Once I opened up SSH to the outside world, my machine has been > > hammered once or twice a day most days, with username failures. None > > of the usernames would fit a username on my system (except root), and > > I have ssh set to deny root logins, and only use SSH2. Additionally, I > > have the following in my login.access (only active entry, the name > > have been changed on this, but the three names would appear as 3 and > > four character random alphabetical strings): > > -:ALL EXCEPT wrbc crr aqp:ALL EXCEPT local > > > > As of the 9th, I've only seen one set of blatant/brute-force attempt > > at my ssh server. It's interesting, but the major drop in attempts has > > me more worried than the attempts (could this drop off be because they > > no longer need to hack me? Could they have hacked me an that be the > > reason why?) > > > > How worried should I be, and what's the best recourse for this? > > > On a system I administer I put SSH to a non-standard port (in this case > 1234) and the brute force attempts has gone away since then. I suggest > you trying that. Besides, you can change to RSA/DSA auth, which is more > secure. > > Regards, > Gabor > >