Re: how to detect hack attempts.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 2020-02-21 11:53, home user wrote:
> (on 02/20/2020 at 7:34pm mountain time, Frank said)
> > Another suggestion, get Wireshark for sniffing traffic,
> > run a sniffer trace as you are using the machine. You'll
> > want to capture any IP (layer 3) traffic leaving or
> > entering your machine (may want to setup filters to reduce
> > capture size). This may be a way to start your analysis.
>
> > Disable any services (daemons) running on the machine that
> > are not required with a listening port:
> > sudo netstat -tulpn | grep LISTEN
> > above will display listening ports
> > This is at least a start
>
> Except for the netstat command, that went over my head.  I have no training in sysadmin and IT security.  I'm a home user.  I don't know how to do what you suggest, or what to look for in the output.
>
> Output to the netstat command is the same as what I put in my earlier reply to Ed.
>
> (my own idea) I tried wading through several thousand lines of journalctl output.  I couldn't even find my 2 logins since the last boot (late this morning).  I vaguely recall a few years ago stumbling onto large numbers of hack attempts noted in journalctl output, but I don't remember what to look for.
>

I don't know how you've gone about identifying "hack attempts". 

But the "last" command should display all successful logins.

Additionally, the "lastb" command would reveal failed logins.  I do have one system configured to allow
ssh connections from the Internet using only public-key authentication.  I do so to watch attempts by
"script-kiddies". 

The most recent attempts being...

support  ssh:notty    92.63.194.7      Fri Feb 21 09:45 - 09:45  (00:00)
guest    ssh:notty    92.63.194.108    Fri Feb 21 09:45 - 09:45  (00:00)
ubnt     ssh:notty    92.63.194.107    Fri Feb 21 09:45 - 09:45  (00:00)
guest    ssh:notty    92.63.194.106    Fri Feb 21 09:45 - 09:45  (00:00)
test     ssh:notty    92.63.194.104    Fri Feb 21 09:44 - 09:44  (00:00)
admin    ssh:notty    92.63.194.107    Fri Feb 21 09:44 - 09:44  (00:00)
user     ssh:notty    92.63.194.106    Fri Feb 21 09:44 - 09:44  (00:00)
admin    ssh:notty    92.63.194.105    Fri Feb 21 09:44 - 09:44  (00:00)
admin    ssh:notty    92.63.194.104    Fri Feb 21 09:44 - 09:44  (00:00)

92.63.194.107 being in Russia.  :-)


-- 
The key to getting good answers is to ask good questions.
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux