Date: Wed, 27 Feb 2002 08:50:58 -0500 From: Bill Moran <wmoran@potentialtech.com> To: Jim Freeze <jim@freeze.org>, questions@freebsd.org Subject: Re: Is this a breakin (attempt)? Message-ID: <02022708505801.00825@proxy.pt.com> In-Reply-To: <20020227081821.A12905@freeze.org> References: <20020227081821.A12905@freeze.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wednesday 27 February 2002 08:18, Jim Freeze wrote: > Hi: > > I have received the the following report the last two days > from the daily security emails and I am not sure how serious > this is. The log says that it has accepted the following ssh > TCP packets, but does this necessarily mean that they succesfully > logged in to my machine? I do not recognize any of the addresses > and I only have a few accounts on this machine. Also, doing a last > on the machine only shows the known users logging in. Is there an > ssh activity log that I can check? > > > ipfw: 2300 Accept TCP 212.185.220.151:64965 63.106.140.202:21 in via sis0 > > ipfw: 2900 Accept TCP 63.217.26.40:22 63.106.140.204:22 in via sis0 > > ipfw: 2300 Accept TCP 64.228.85.123:1075 63.106.140.202:21 in via sis0 > > ipfw: 2600 Accept TCP 62.226.84.105:2320 63.106.140.205:21 in via sis0 > > ipfw: 2900 Accept TCP 63.204.77.126:4671 63.106.140.204:22 in via sis0 Do you have a rule that logs connections in you ipfw rules? Rule 2300, 2600, and 2900 maybe? It looks like someone is definately sending connection requests, however, you need to look at your ipfw ruleset to see exactly what kind of activity is triggering those log entries. On another angle, I get this kind of thing all the time. In December, I had Samba running unprotected on this machine for about a month (due to carelessness on my part). Over that week, I had 5 attempts to connect to Samba by misc. hosts on the internet. This machine connects via DIAL-UP and it's still that dangerous! So, my opinion is, you should be very concerned. But not because you saw those log entries. You should be concerned because you're connected to the interned. In your case, however, I doubt that you're in much danger. You're smart enough to be running ssh instead of telnet, and you take the time to check your log output and research anything suspicious. From the other checks you did, I doubt that anyone got in. Make sure you've got good passwords on any accounts that are allowed ssh, and keep an eye on things like you have been. -- Bill Moran Potential Technology technical services http://www.potentialtech.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?02022708505801.00825>