Re: attempts to hack in?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 06/29/2017 03:28 PM, William Mattison wrote:

While looking at journalctl output yesterday and today for other reasons (separate thread), I saw many "authentication failure" messages, over half also saying "user=root".  I also saw many "password check failed for user (root)" messages.  I saw many unknown user login attempts, and a few invalid user login attempts, and some attempts using one of the valid regular user names.  Why?  I am not yet good at reading journalctl output, so I don't know if these connection attempts are coming from "outside" or within this system.  I don't know if I should be concerned or not.  I do not intend anyone or anything to be able to get in to this system except for things that I initiate (examples: Firefox activity, Thunderbird activity, "dnf upgrade", installs, etc.).  And it doesn't make sense to me that any of those would be trying to log in to this system to do what I want.  I also don't see why anything on this system would try to log in to this same system except me personally (su, sudo, and
   actual logins).  I am the only actual user.

What's going on?  How do I determine where they're coming from?  Is there really someone or something trying to hack in?  If no, what really is going on?
Assuming that your computer is directly connected to the internet, then yes, that is someone trying to brute force your root (or other user) password. That is completely "normal". There should be an IP address logged either on the same line or nearby of the computer that's connecting. 


Most important,
How do I prevent connections from outside?
If you have no intention of remotely logging in to your computer, then use the firewall configuration tool to block the ssh port as well. By default, it leaves that one open. On the system I have a password for logging in, I have a firewall rule that limits ssh connections to one per minute for each address connecting. That drastically reduces the brute force attempts. On most other systems I use keys only, so I don't even bother limiting those ones. 
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux