Date: Wed, 27 Feb 2002 09:15:44 -0500 From: Jim Freeze <jim@freeze.org> To: Bill Moran <wmoran@potentialtech.com> Cc: questions@freebsd.org Subject: Re: Is this a breakin (attempt)? Message-ID: <20020227091544.A15249@freeze.org> In-Reply-To: <02022708505801.00825@proxy.pt.com>; from wmoran@potentialtech.com on Wed, Feb 27, 2002 at 08:50:58AM -0500 References: <20020227081821.A12905@freeze.org> <02022708505801.00825@proxy.pt.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Feb 27, 2002 at 08:50:58AM -0500, Bill Moran wrote:
>
> Do you have a rule that logs connections in you ipfw rules? Rule 2300, 2600,
> and 2900 maybe?
Yes, I do log all ssh activity:
${fwcmd} add pass log tcp from any to ${oip} 22 in via ${oif} setup
as well as all SYSLOG, SMB and all rejections in ipfw.
> It looks like someone is definately sending connection requests, however, you
> need to look at your ipfw ruleset to see exactly what kind of activity is triggering
> those log entries.
> On another angle, I get this kind of thing all the time. In December, I had Samba
> running unprotected on this machine for about a month (due to carelessness on
What do you mean unprotected. You have my attention here.
> my part). Over that week, I had 5 attempts to connect to Samba by misc. hosts
> on the internet. This machine connects via DIAL-UP and it's still that dangerous!
> So, my opinion is, you should be very concerned. But not because you saw those
> log entries. You should be concerned because you're connected to the interned.
> In your case, however, I doubt that you're in much danger. You're smart enough
> to be running ssh instead of telnet, and you take the time to check your log output
> and research anything suspicious. From the other checks you did, I doubt that
> anyone got in. Make sure you've got good passwords on any accounts that are
> allowed ssh, and keep an eye on things like you have been.
>
Thanks
--
Jim Freeze
"Give some people an attoparsec and
they'll take 16.093 Tera-angstroms"
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020227091544.A15249>