From owner-freebsd-questions@FreeBSD.ORG Fri Aug 19 19:39:05 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CEE8D106564A for ; Fri, 19 Aug 2011 19:39:05 +0000 (UTC) (envelope-from prvs=2053d4f83=pschmehl_lists@tx.rr.com) Received: from ip-001.utdallas.edu (ip-001.utdallas.edu [129.110.20.107]) by mx1.freebsd.org (Postfix) with ESMTP id 9816E8FC08 for ; Fri, 19 Aug 2011 19:39:05 +0000 (UTC) X-Group: None X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AuAIAKu0Tk6BbgogSmdsb2JhbABBqBcBARoGAiQlgUABAQQBOAJECwtGQxQGARKHcbhwhWlfBIdgnEY X-IronPort-AV: E=Sophos;i="4.68,251,1312174800"; d="scan'208";a="70860701" Received: from zxtm01.utdallas.edu (HELO utd71538.utdallas.edu) ([129.110.10.32]) by ip-001.utdallas.edu with ESMTP/TLS/DHE-RSA-AES256-SHA; 19 Aug 2011 14:10:10 -0500 Date: Fri, 19 Aug 2011 14:10:09 -0500 From: Paul Schmehl To: Mark Moellering , FreeBSD Message-ID: <67E049C395112E49105B02BE@utd71538.utdallas.edu> In-Reply-To: <4E4E7AC1.5000904@msen.com> References: <4E4E7AC1.5000904@msen.com> X-Mailer: Mulberry/4.0.8 (Mac OS X) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Cc: Subject: Re: My server is under attack (I think) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Paul Schmehl List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Aug 2011 19:39:05 -0000 --On August 19, 2011 11:01:21 AM -0400 Mark Moellering wrote: > I keep seeing a flood of messages when I run dmesg -a that look like this: > > mail sshd[1831]: warning: /etc/hosts.allow, line 2: can't verify > hostname: getaddrinfo(ip223.hichina.com, AF_INET) failed > > Is there anything I should be doing to make sure the server isn't > compromised? It is a mail server running postfix / dovecot > I have pf set up and am also running a program called sshguard. > I am kind of at a loss. It looks like I am under attack but I don't know > what to do about it. Any help is greatly appreciated > > Thanks in advance As others have pointed out, this is routine probing by internet jerks. You have several choices. You can restrict access to ssh to specific IPs or netblocks. You can ignore it and chalk it up to being on the internet. Or, if the people that have access to your server are sophisticated enough that's it's not too much hassle explaining it, you can run ssh on some other port. I chose options 1 & 2 for a server I maintain. I'd prefer option 3, but I don't want to have to explain it to the owners. They're not very tech savvy. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson "There are some ideas so wrong that only a very intelligent person could believe in them." George Orwell