Given this evidence, should I be worried that I may have been
hacked
Gabor Kovesdan
gabor at FreeBSD.org
Sat Apr 14 11:36:12 UTC 2007
Jim Stapleton schrieb:
> Once I opened up SSH to the outside world, my machine has been
> hammered once or twice a day most days, with username failures. None
> of the usernames would fit a username on my system (except root), and
> I have ssh set to deny root logins, and only use SSH2. Additionally, I
> have the following in my login.access (only active entry, the name
> have been changed on this, but the three names would appear as 3 and
> four character random alphabetical strings):
> -:ALL EXCEPT wrbc crr aqp:ALL EXCEPT local
>
> As of the 9th, I've only seen one set of blatant/brute-force attempt
> at my ssh server. It's interesting, but the major drop in attempts has
> me more worried than the attempts (could this drop off be because they
> no longer need to hack me? Could they have hacked me an that be the
> reason why?)
>
> How worried should I be, and what's the best recourse for this?
>
On a system I administer I put SSH to a non-standard port (in this case
1234) and the brute force attempts has gone away since then. I suggest
you trying that. Besides, you can change to RSA/DSA auth, which is more
secure.
Regards,
Gabor
More information about the freebsd-questions
mailing list