From owner-freebsd-questions@freebsd.org  Sun Oct  1 15:26:48 2017
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id A22C9E2760E
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Sun,  1 Oct 2017 15:26:48 +0000 (UTC)
 (envelope-from guru@unixarea.de)
Received: from ms-10.1blu.de (ms-10.1blu.de [178.254.4.101])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 6239B63BE0
 for <freebsd-questions@freebsd.org>; Sun,  1 Oct 2017 15:26:48 +0000 (UTC)
 (envelope-from guru@unixarea.de)
Received: from [88.217.117.50] (helo=localhost.unixarea.de)
 by ms-10.1blu.de with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.86_2) (envelope-from <guru@unixarea.de>) id 1dyg8d-0004ec-0g
 for freebsd-questions@freebsd.org; Sun, 01 Oct 2017 17:26:39 +0200
Received: from localhost.my.domain (localhost [127.0.0.1])
 by localhost.unixarea.de (8.15.2/8.14.9) with ESMTPS id v91FQb7t060791
 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
 for <freebsd-questions@freebsd.org>; Sun, 1 Oct 2017 17:26:37 +0200 (CEST)
 (envelope-from guru@unixarea.de)
Received: (from guru@localhost)
 by localhost.my.domain (8.15.2/8.14.9/Submit) id v91FQb8s060790
 for freebsd-questions@freebsd.org; Sun, 1 Oct 2017 17:26:37 +0200 (CEST)
 (envelope-from guru@unixarea.de)
X-Authentication-Warning: localhost.my.domain: guru set sender to
 guru@unixarea.de using -f
Date: Sun, 1 Oct 2017 17:26:37 +0200
From: Matthias Apitz <guru@unixarea.de>
To: freebsd-questions@freebsd.org
Subject: Re: help - under attack
Message-ID: <20171001152637.GA60730@c720-r314251>
Reply-To: Matthias Apitz <guru@unixarea.de>
Mail-Followup-To: Matthias Apitz <guru@unixarea.de>,
 freebsd-questions@freebsd.org
References: <59D10736.2070504@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="17pEHd4RhPHOinZp"
Content-Disposition: inline
In-Reply-To: <59D10736.2070504@gmail.com>
X-Operating-System: FreeBSD 12.0-CURRENT r314251 (amd64)
X-message-flag: Mails containing HTML will not be read!  Please send only
 plain text.
User-Agent: Mutt/1.8.0 (2017-02-23)
X-Con-Id: 51246
X-Con-U: 0-guru
X-Originating-IP: 88.217.117.50
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Oct 2017 15:26:48 -0000


--17pEHd4RhPHOinZp
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

El d=C3=ADa domingo, octubre 01, 2017 a las 11:18:14a. m. -0400, Ernie Luza=
r escribi=C3=B3:

> Hello list;
>=20
> Installed 11.1 from scratch and after about 2-3 weeks I finally got=20
> around to inspecting the /var/logs. I have never seen the auth.log file=
=20
> roll over before, so this peaked my interest. It was full of failed=20
> login attempts. My firewall blocks all inbound traffic, so I am very=20
> baffled be what I see in the log. Any suggestions on how this can be=20
> happening?
>=20
> Sep 29 03:09:14 fbsd sshd[33675]: Connection closed by 149.202.179.216=20
> port 48876 [preauth]
> ...

If you have a firewall (about which you have not said anything), how can
SYN-SYN-ACK happen on port 22?

	matthias
--=20
Matthias Apitz, =E2=9C=89 guru@unixarea.de, =E2=8C=82 http://www.unixarea.d=
e/  =E2=98=8E +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdi=C3=B3 la Guerra.
May 8, 1945: Who does not celebrate lost the War.

--17pEHd4RhPHOinZp
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEXmn7rBYYViyzy/vBR8z35Hb+nREFAlnRCSoACgkQR8z35Hb+
nRHP6w/9G92xPvBe3xAlEuNWwetU17PD4ASJhyVqvzfEBNfUNPq2n/5ZJ/KJB7VA
x7M9VmtZidAEG9ueTLU8p5s6xWd5IQmCD1CTM9DGx9mHSj1Uh2HxiJxCW95BuIWH
JkaeaCVLWyuvuQl5vzmXdm+ZfaCr/o54GtdQ7QdNKbeGwyPP9rHuWw+FTkwRDqsD
s2D4Mx5c12y0aJBRNGNRpuY4+H4GIwxCH1rW+niiDMY7nA54kEgdOyOHd0KdDdhA
SzK0RWk3rzyuc9B7BtKh0svExUnZ8h1RQGXXPnf7/30q2LMEA5Oy4U5v4sCOyOa8
6SXX6rOxpmqk/zubJM7BUCQSxdLPnIUM1evTMx6tUFnAxIcBb4SSGloPN3BOAQMK
w2TKhpSr47NJx/yFTwbcapvt8PZCoIcM0mn3u3b4tTnEiZMqyM8RP6zJd2g9PVR3
vLXzagKt9R/zDEzb3h1WGfBB1pA78YCd3hSE+zM5KPWWvLRZtQQbynPex+m4xShW
roA61/NB4FWpjpkwYB1hj+kYaKJBCE9xToD+485YDJMOjJF8AF8C7cVJKWtH+QX8
qGNBqQxNF1bppGCvoHYFvP/a+VRJZ+9rK1WW9HIioReoYU53xp1wOB8hn2cN4P/j
XwzkAZKoDvaVIgdJWtY6ifAHTe68MMvRa9Va80qYxoRXemNNOXE=
=2vrJ
-----END PGP SIGNATURE-----

--17pEHd4RhPHOinZp--