I currently run a FreeNX server on my opensuse box. I have port 22 on the firewall opened so that I can access my system remotely using putty and the NX client. I just now noticed that I have activity on that port in the gkrellm inet diplay plugin (activity that I have not initiated). I shutdown the Freenx server but the activity remained. Clicking on the inet button displayed a connection represented by a few letters and numbers something like ffm4345:1445 (sorry I cant remember exactly the number but it sort of reminded me of the machine address of a NIC).Closing this port on my firewall immediately stopped the activity.My passwords are relatively secure in that they dont appear in any dict and contain a comb. of upper and lower case letters symbols and spaces.Originally having setup cygwin I remember setting up the keys to ssh but I sort of forget how now and I set up FreeNX using the default nomachine key because of all of the horror stories I read about people trying to use there own keys.With putty I just have accepted the key and away I went.I guess a little bit of knowledge is a dangerous thing for me. General googling on the subject reveals a deluge of info could I pls have a bit of direction.

First thing probably is to verify if I have been compromised or not how can I go about doing so?
Secondly I guess I will have to work on securing ssh which seems like it is a rather big subject.

ps. opened the port on my firewall to see if the activity returned while I was at the system and see if I could get that number but of course I dont feel comfortable leaving it down while I am not at the system.The activity has not returned of as yet.

It's probably people trying to break in via SSH. This happens to me all the time, and if you have good passwords and such, you should be ok. Have a look at some of the logfiles and see if you see any signs that anyone actually managed to break in (I don't know which log SuSE puts SSH output into).

You might consider setting up iptables and writing the firewall as if your server was a bastion host. Then everytime you look at your logs, you can close out that ip address if they aren't supposed to be in. If you are wanting real up to the time info, set up Snort as an IDS and then you can find out immediately if someone is trying to get in that isn't supposed to.

thanks for the replys
I have been able to ascertian so far with
code: #cat /var/log/messages | grep sshd
Apr 21 18:35:53 **** sshd[26118]: Invalid user amanda from 65.205.238.12
Apr 21 18:35:59 **** sshd[26130]: Invalid user amanda from 65.205.238.12
Apr 21 18:36:07 **** sshd[26146]: Invalid user bob from 65.205.238.12
Apr 21 18:36:08 **** sshd[26148]: Invalid user bryan from 65.205.238.12
....etc....
I dont think that they actually got in but it seems to me that there was traffic both ways in the gkrellm monitor?
I have now taken more elaborate precautions to protect myself thanks all

You're definitely getting the old dictionary attack. Just block them in your firewall and keep on going. Just watch the logs daily and keep adding the ip addresses of the wirey attackers. It will require diligence and daily maintenance but that is the world of IT. Good luck and have fun!

A few more things to consider:
Change from port 22 (ListenAddress). Non-standard and ugly but effective.
Use SSH V2 ONLY (Protocol 2) and disable passwords in favour of RSA keys.
Set up a specific "ssh users" group id and restrict access to users only in that group (AllowGroups) to cut down the number of accounts exposed to dictionary attack.
Take a look at some of the dynamic ssh tarpit/blacklist scripts around for iptables.

You can use an portknocking tool.
http://www.portknocking.org

regards
Yoss