On 06/29/2017 04:25 PM, stan wrote: > On Thu, 29 Jun 2017 22:28:28 -0000 > "William Mattison" <mattison.computer@xxxxxxxxx> wrote: > >> Good afternoon, >> >> (f25 home workstation) >> >> While looking at journalctl output yesterday and today for other >> reasons (separate thread), I saw many "authentication failure" >> messages, over half also saying "user=root". I also saw many >> "password check failed for user (root)" messages. I saw many unknown >> user login attempts, and a few invalid user login attempts, and some >> attempts using one of the valid regular user names. Why? I am not >> yet good at reading journalctl output, so I don't know if these >> connection attempts are coming from "outside" or within this system. >> I don't know if I should be concerned or not. I do not intend anyone >> or anything to be able to get in to this system except for things >> that I initiate (examples: Firefox activity, Thunderbird activity, >> "dnf upgrade", installs, etc.). And it doesn't make sense to me that >> any of those would be trying to log in to this system to do what I >> want. I also don't see why anything on this system would try to log >> in to this same system except me personally (su, sudo, and actual >> logins). I am the only actual user. >> >> What's going on? How do I determine where they're coming from? Is >> there really someone or something trying to hack in? If no, what >> really is going on? > > > I'd say someone is trying to target your system. I used to see a lot > of this kind of thing, except it was targeted against known window's > exploits. I wonder if your windows installation was compromised, and > they then found that you run linux, and are now trying to break into > your linux box. Or they could just have searched for sshd responses, > and then targeted them. > > Is your access wired or wireless? I think wireless access points are > public, so your neighbors will be able to find it. I don't know enough > about wireless to know whether they can then initiate attacks against > your system. They're only public if you don't protect them with a passphrase. Use secure keys (WPA2-PSK with AES encryption if possible--avoid using WEP at all costs). If possible, set your wifi to NOT broadcast its SSID. Failing that, at least change the SSID to something that does NOT give away the location of the network. For example, DON'T use an SSID that is your name or your address or anything like that. Make it obscure, like "finglebutznorkle" (unless, of course, your name is finglebutznorkle or you live on Finglebutznorkle Avenue). > If your access is wired, do you have a router? That can provide a > hardware barrier to these kinds of attacks, a good first line of > defense. > Have you got all internet services turned off? You should for sure > disable sshd since there is no reason for anyone to remotely access > your computer. > systemctl stop sshd > systemctl mask sshd > Same with httpd, if it is running in some flavor, you don't need a web > server. Or a mail server, finger, xinetd, etc. etc. > Have you got a strong root password? > A strong user password? > Make sure that /etc/firewalld/firewalld.conf has zone set to public. > Have you hardened your browser with privacy and security settings? > > This is a big topic, it will take a lot of research on your part to > understand and feel comfortable with your security, if you choose to > go there. But the above should harden you to a point where it will be > difficult to exploit you. Amen to that. Security is a huge issue. The vast majority of attacks are brute-force attempts to hack your ssh port. Do not permit root logins via ssh. Unless you absolutely need it, close the SSH port on your firewall(s). If you do need it, make sshd listen on a different port and restrict incoming ssh sessions to IP addresses you know you'll be on. Better yet, use a VPN service and only permit ssh via that VPN. Other common attacks are trojans, malware and such attached to email or websites. NEVER open email attachments if you can avoid it. If they (supposedly) come from a friend, I STILL wouldn't open them unless they've been encrypted with your friend's GPG key and you can verify them. Make sure you disable your browser's ability to run scripts without confirmation. Don't let it turn on your webcam or microphones. And never put selinux in "disabled" mode. It's there for a reason. Tune your policies instead of disabling or setting it to "permissive". Use the firewall on your router and make it as restrictive as possible. Use iptables/firewalld/whatever on your machines and also make THEM as restrictive as possible. Keep your software up-to-date (gawd, how many DOS attacks and crap have been caused by pirated Winblows boxes that never got updated?). All of that barely scratches the surface. ---------------------------------------------------------------------- - Rick Stevens, Systems Engineer, AllDigital ricks@xxxxxxxxxxxxxx - - AIM/Skype: therps2 ICQ: 226437340 Yahoo: origrps2 - - - - Dyslexics of the world: UNTIE! - ---------------------------------------------------------------------- _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx