Re: attempts to hack in?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 07/01/2017 09:14 PM, William Mattison wrote:
Today (Saturday), I booted up only once, logged in only once as my primary common user, and then a short while ago logged in to an different account with adequate privileges to view the journalctl.  With over 12 hours as a common user, I hoped that searching the journalctl would be simpler.  I hoped!

Try "journalctl -b -u sshd". That will show you all the log entries from the ssh server since you last rebooted. There are other parameters you can use to limit to a single day, etc. "journalctl -r" can be helpful as well, it shows you the log entries starting from the most recent and going back in time.

In today's log, there were at least 148 occurrences of "authentication failure", 41 occurrences of "password check failed", 14 occurrences of "user=root", 27 occurrences of "user (root)", 270 occurrences of "invalid user", 1546 occurrences of "CRYPTO_KEY_USER", and 296 occurrences of "CRYPTO_SESSION".  I saw the following "rhost=" ip addresses:

A nice collection from all around the world. :-)

I saw the following "user=" fields:

These are login attempts on accounts that exist on your system.

I saw the following "invalid user ______ " fields, most followed by "[preauth]":

These are login attempts on accounts that don't exist.

Here are a few relevant journalctl entries:

That's the typical logs from the automated brute force attempts.

I did use the firewall configuration tool to turn off public ssh.  We'll see what difference that makes Monday.  (I'll be out most of tomorrow.)

Make sure you told it to save the runtime config to permanent or those changes will go away when you reboot.
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx



[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux