Date: Sat, 14 Apr 2007 08:17:54 -0400 From: Bill Moran <wmoran@potentialtech.com> To: "Jim Stapleton" <stapleton.41@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: Given this evidence, should I be worried that I may have been hacked Message-ID: <20070414081754.16c78390.wmoran@potentialtech.com> In-Reply-To: <80f4f2b20704140425w2631ee3co5547b772f6c972e8@mail.gmail.com> References: <80f4f2b20704140425w2631ee3co5547b772f6c972e8@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In response to "Jim Stapleton" <stapleton.41@gmail.com>: > Once I opened up SSH to the outside world, my machine has been > hammered once or twice a day most days, with username failures. None > of the usernames would fit a username on my system (except root), and > I have ssh set to deny root logins, and only use SSH2. Additionally, I > have the following in my login.access (only active entry, the name > have been changed on this, but the three names would appear as 3 and > four character random alphabetical strings): > -:ALL EXCEPT wrbc crr aqp:ALL EXCEPT local > > As of the 9th, I've only seen one set of blatant/brute-force attempt > at my ssh server. It's interesting, but the major drop in attempts has > me more worried than the attempts (could this drop off be because they > no longer need to hack me? Could they have hacked me an that be the > reason why?) > > How worried should I be, and what's the best recourse for this? The drop is more likely coincidence than anything else, although you may have blocked things to the point where they don't get logged anymore. These breakin attempts are bots. While I don't know for sure, I seriously doubt that botnet gathering crooks discuss with each other which machines they've already broken and thus don't attempt to break them a second time. I don't expect the drop off is related. Personally, I just had 3 such attempts last night, compared to none over the course of several days. It's just a matter of how busy the botnet people are on any given day. You should install/run samhain or something similar to monitor activity so you know if something unauthorized has changed. That's the only real way to know if you've successfully been broken or not. -- Bill Moran http://www.potentialtech.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070414081754.16c78390.wmoran>