On Thu, 29 Jun 2017 22:28:28 -0000 "William Mattison" <mattison.computer@xxxxxxxxx> wrote: > Good afternoon, > > (f25 home workstation) > > While looking at journalctl output yesterday and today for other > reasons (separate thread), I saw many "authentication failure" > messages, over half also saying "user=root". I also saw many > "password check failed for user (root)" messages. I saw many unknown > user login attempts, and a few invalid user login attempts, and some > attempts using one of the valid regular user names. Why? I am not > yet good at reading journalctl output, so I don't know if these > connection attempts are coming from "outside" or within this system. > I don't know if I should be concerned or not. I do not intend anyone > or anything to be able to get in to this system except for things > that I initiate (examples: Firefox activity, Thunderbird activity, > "dnf upgrade", installs, etc.). And it doesn't make sense to me that > any of those would be trying to log in to this system to do what I > want. I also don't see why anything on this system would try to log > in to this same system except me personally (su, sudo, and actual > logins). I am the only actual user. > > What's going on? How do I determine where they're coming from? Is > there really someone or something trying to hack in? If no, what > really is going on? I'd say someone is trying to target your system. I used to see a lot of this kind of thing, except it was targeted against known window's exploits. I wonder if your windows installation was compromised, and they then found that you run linux, and are now trying to break into your linux box. Or they could just have searched for sshd responses, and then targeted them. Is your access wired or wireless? I think wireless access points are public, so your neighbors will be able to find it. I don't know enough about wireless to know whether they can then initiate attacks against your system. If your access is wired, do you have a router? That can provide a hardware barrier to these kinds of attacks, a good first line of defense. Have you got all internet services turned off? You should for sure disable sshd since there is no reason for anyone to remotely access your computer. systemctl stop sshd systemctl mask sshd Same with httpd, if it is running in some flavor, you don't need a web server. Have you got a strong root password? A strong user password? Make sure that /etc/firewalld/firewalld.conf has zone set to public. Have you hardened your browser with privacy and security settings? This is a big topic, it will take a lot of research on your part to understand and feel comfortable with your security, if you choose to go there. But the above should harden you to a point where it will be difficult to exploit you. _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
