*BSDThis forum is for the discussion of all BSD variants.
FreeBSD, OpenBSD, NetBSD, etc.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've seen these messages on my XTerm console and I'm wandering what these stuffs mean:
Sept. 23 00:28:12 firewall sshd [5460]: Failed password for root from 211.218.149.7 port 45877 ssh2
Sept. 23 00:28:12 firewall sshd [24770]: Failed password for root from 211.218.149.7 port 45877 ssh2
It has appeared up to 5 times and then after the fifth appearance a message like this appeared:
Sept. 23 00:28:16 firewall sshd [327]: Received disconnect from 211.218.149.7:11: Bye bye
Is it someone from the net is envading and trying to crack the root password in my box?
Also lines such as this appeared twice:
Sept. 23 00:28:30 firewall sshd [19747]: fatal: Read from socket failed: Connection reset by peer
I tracerouted this IP and his 14 hops from me. Is the time stamp in his local time?
For some comments, here is my pf.conf that I copied from OpenBSD's FAQ page and with few facelifts:
# PF FILTERING RULESET
# DEFINING MY BSD'S MACROS
# rl0 = Realtek 8139, connected to ADSL
# dc0 = Linksys LNE 10/100Tx
# lan_net = local/internal network
# internet_services = 22 (ssh), 113 (Auth/Ident) for SMTP and IRC
# icmp_types = reply to ping echo request
# rfc_addresses = RFC 1918 addresses will be blocked from exiting & entering
Originally posted by gani I've seen these messages on my XTerm console and I'm wandering what these stuffs mean:
Sept. 23 00:28:12 firewall sshd [5460]: Failed password for root from 211.218.149.7 port 45877 ssh2
Sept. 23 00:28:12 firewall sshd [24770]: Failed password for root from 211.218.149.7 port 45877 ssh2
It has appeared up to 5 times and then after the fifth appearance a message like this appeared:
Sept. 23 00:28:16 firewall sshd [327]: Received disconnect from 211.218.149.7:11: Bye bye
Is it someone from the net is envading and trying to crack the root password in my box?
The log messages mean that someone, whose public IP address is 211.218.149.7, has tried to login through SSH to your machine, with the username of root. After ten attempts, they have (been) disconnected.
If no-one who should have access to your system has the IP address 211.218.149.7, then I'd consider disabling root logins in ssh.conf.
Quote:
Also lines such as this appeared twice:
Sept. 23 00:28:30 firewall sshd [19747]: fatal: Read from socket failed: Connection reset by peer
I tracerouted this IP and his 14 hops from me. Is the time stamp in his local time?
No, the time stamp is generated by syslog when the log message is written, so it willl be in your computer's local time, as returned by the command:
I just put that ssh remote login, I won't use it actually since I'm just practicing with OpenBSD. I will just disable root login as you suggested. Enway, hackers has nothing to find really important in my practice box, just the config files.
I asked about the time stamp because it seems that it's already 12:28 (00:28) AM in his place of Sept. 23, and we are still at Sept. 22 here, 6:50PM and it looks like that his ahead by almost 7 hrs.
Originally posted by gani I just put that ssh remote login, I won't use it actually since I'm just practicing with OpenBSD. I will just disable root login as you suggested. Enway, hackers has nothing to find really important in my practice box, just the config files.
An intruder would find a box quite suitable for common intrusive tasks, such as sending spam.
Quote:
I asked about the time stamp because it seems that it's already 12:28 (00:28) AM in his place of Sept. 23, and we are still at Sept. 22 here, 6:50PM and it looks like that his ahead by almost 7 hrs.
Thanks!
It could be that it's reporting in GMT, or that you have the wrong timezone set up.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Edit /etc/ssh/sshd_config and make sure the line
PermitRootLogin
is set to no and does not have a # in front of it, then find the PID of the main sshd (using ps and grep) and send it a -HUP signal using the kill command. If you don't need to ever login to your box from outside your network, then you should remove 22 from internet_services and reload your PF rules.
Are these reports are also being logged on files? Where can it be found?
What intrusion detection is OBSD using?
And one more, if I want to immediately monitor incoming connections, what command will I have to execute? I just noticed the verbose after some minutes that the box has become idle, just like a screen saver.
OpenBSD is really great! Policing every connections and immediately reporting it verbosely.
Will it be possible seeing that via remote OBSD box?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.