A rule like this makes cracking your 123456 password a whole lot harder without
changing anything else.
iptables -t filter -A IN_public_deny -p tcp --dport pop3s --syn -m recent --name
pop3s_attack --rcheck --seconds 90 --hitcount 2 -j LOG --log-prefix 'SSH2
REJECT: ' --log-level info
The magic is in "-m recent --rcheck --seconds 90 --hitcount 2". That means any
given site gets one chance to login before facing a 90 second blockage. If they
have to guess "AZBYCXDW" as a password you can imagine how long you have to
catch him in your log and explicitly block his whole subnet.
{^_-}
On 2017-06-29 16:06, Samuel Sieb wrote:
On 06/29/2017 03:28 PM, William Mattison wrote:
While looking at journalctl output yesterday and today for other reasons
(separate thread), I saw many "authentication failure" messages, over half
also saying "user=root". I also saw many "password check failed for user
(root)" messages. I saw many unknown user login attempts, and a few invalid
user login attempts, and some attempts using one of the valid regular user
names. Why? I am not yet good at reading journalctl output, so I don't know
if these connection attempts are coming from "outside" or within this system.
I don't know if I should be concerned or not. I do not intend anyone or
anything to be able to get in to this system except for things that I initiate
(examples: Firefox activity, Thunderbird activity, "dnf upgrade", installs,
etc.). And it doesn't make sense to me that any of those would be trying to
log in to this system to do what I want. I also don't see why anything on
this system would try to log in to this same system except me personally (su,
sudo, and
actual logins). I am the only actual user.
What's going on? How do I determine where they're coming from? Is there
really someone or something trying to hack in? If no, what really is going on?
Assuming that your computer is directly connected to the internet, then yes,
that is someone trying to brute force your root (or other user) password. That
is completely "normal". There should be an IP address logged either on the same
line or nearby of the computer that's connecting.
Most important,
How do I prevent connections from outside?
If you have no intention of remotely logging in to your computer, then use the
firewall configuration tool to block the ssh port as well. By default, it
leaves that one open. On the system I have a password for logging in, I have a
firewall rule that limits ssh connections to one per minute for each address
connecting. That drastically reduces the brute force attempts. On most other
systems I use keys only, so I don't even bother limiting those ones.
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
