From owner-freebsd-questions Wed Feb 27 6:17: 3 2002 Delivered-To: freebsd-questions@freebsd.org Received: from freebsdportal.com (freeze.org [63.106.140.202]) by hub.freebsd.org (Postfix) with ESMTP id BDBEC37B402 for ; Wed, 27 Feb 2002 06:16:53 -0800 (PST) Received: (from jfreeze@localhost) by freebsdportal.com (8.11.6/8.11.6) id g1REFiB15284; Wed, 27 Feb 2002 09:15:44 -0500 (EST) (envelope-from jfreeze) Date: Wed, 27 Feb 2002 09:15:44 -0500 From: Jim Freeze To: Bill Moran Cc: questions@freebsd.org Subject: Re: Is this a breakin (attempt)? Message-ID: <20020227091544.A15249@freeze.org> References: <20020227081821.A12905@freeze.org> <02022708505801.00825@proxy.pt.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <02022708505801.00825@proxy.pt.com>; from wmoran@potentialtech.com on Wed, Feb 27, 2002 at 08:50:58AM -0500 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, Feb 27, 2002 at 08:50:58AM -0500, Bill Moran wrote: > > Do you have a rule that logs connections in you ipfw rules? Rule 2300, 2600, > and 2900 maybe? Yes, I do log all ssh activity: ${fwcmd} add pass log tcp from any to ${oip} 22 in via ${oif} setup as well as all SYSLOG, SMB and all rejections in ipfw. > It looks like someone is definately sending connection requests, however, you > need to look at your ipfw ruleset to see exactly what kind of activity is triggering > those log entries. > On another angle, I get this kind of thing all the time. In December, I had Samba > running unprotected on this machine for about a month (due to carelessness on What do you mean unprotected. You have my attention here. > my part). Over that week, I had 5 attempts to connect to Samba by misc. hosts > on the internet. This machine connects via DIAL-UP and it's still that dangerous! > So, my opinion is, you should be very concerned. But not because you saw those > log entries. You should be concerned because you're connected to the interned. > In your case, however, I doubt that you're in much danger. You're smart enough > to be running ssh instead of telnet, and you take the time to check your log output > and research anything suspicious. From the other checks you did, I doubt that > anyone got in. Make sure you've got good passwords on any accounts that are > allowed ssh, and keep an eye on things like you have been. > Thanks -- Jim Freeze "Give some people an attoparsec and they'll take 16.093 Tera-angstroms" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message