On 26 Sep 2020 at 6:26, stan via users wrote: Date sent: Sat, 26 Sep 2020 06:26:03 -0700 To: users@xxxxxxxxxxxxxxxxxxxxxxx Subject: Re: /var/btmp with ssh:nottyroot Organization: zohofree Send reply to: Community support for Fedora users <users@xxxxxxxxxxxxxxxxxxxxxxx> From: stan via users <users@xxxxxxxxxxxxxxxxxxxxxxx> Copies to: stan <upaitag@xxxxxxxx> > On Sat, 26 Sep 2020 18:00:39 +1000 > "Michael D. Setzer II via users" <users@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > > > Had one Fedora 32 machine that has the ssh port open. > > the /var/btmp file was showing a number of lines with the > > ssh:nottyroot line followed by various different IP addresses. > > > > Can stop the sshd service that the btmp file stops growing. > > > > Use to use denyhosts on systems, but it seems to have been removed. > > The old denyhost would add blocked ipaddresses to stop these sites? > > Know that root is not allowed to login ssh by default, so are these > > lines just saying attempts had been blocked. > > > > Have vsftpd setup to use passive ports, so blocking port 22 would not > > be a big deal. But just seeing the btmp file grow seems to show > > wasted bandwidth if not showing an issue. > > > > Is it an issue or not?? > > I think not, but am not sure, since my knowledge of this is limited. > I'm also not sure why denyhosts was dropped from Fedora, so it might be > meaningless to run it if it has been replaced by another mechanism > (systemd?), but you can go here, > https://koji.fedoraproject.org/koji/buildinfo?buildID=1130378 > and download the F29 rpm and install it on your system. The version > there is the same as the latest version from upstream, > https://sourceforge.net/projects/denyhosts/files/ > > It might be that the upstream project is not being developed anymore, > so it was dropped from Fedora, but it could also be that the package > maintainer orphaned it and no one picked it up. > > The other possibilities are that fail2ban or tcp_wrappers might have a > means of doing what you want. Someone else here might be able to > confirm or deny that. Thanks for the reply. I did install the fail2ban and enabled it, but when I restarted the sshd I was seeing the same exact things in btmp. Ended up just blocking incoming port 22 on the router. Had 21 and 22 setup for ftp access, but since ftp has passive ports setup anyway, no need to have it open. Have 5 computers on home private network that can use port 22. Usually use vnc to access machine, but Fedora has also just dropped vncserver program from latest update, and now wants to force running it via systemd?? Just downgrade to last version that worked, and blocked it from being updated at the moment.. Deny host was interesting, and you could check out the hosts.deny file and see what IPs where trying to break in. The /var/log/btmp file lists the stuff, but it isn't a text file, and shows repeated attempts. Thanks again. Be Safe. > _______________________________________________ > users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx +------------------------------------------------------------+ Michael D. Setzer II - Computer Science Instructor (Retired) mailto:mikes@xxxxxxxx mailto:msetzerii@xxxxxxxxx Guam - Where America's Day Begins G4L Disk Imaging Project maintainer http://sourceforge.net/projects/g4l/ +------------------------------------------------------------+ _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx