I've seen these messages on my XTerm console and I'm wandering what these stuffs mean:

Sept. 23 00:28:12 firewall sshd [5460]: Failed password for root from 211.218.149.7 port 45877 ssh2
Sept. 23 00:28:12 firewall sshd [24770]: Failed password for root from 211.218.149.7 port 45877 ssh2

It has appeared up to 5 times and then after the fifth appearance a message like this appeared:

Sept. 23 00:28:16 firewall sshd [327]: Received disconnect from 211.218.149.7:11: Bye bye

Is it someone from the net is envading and trying to crack the root password in my box?

Also lines such as this appeared twice:

Sept. 23 00:28:30 firewall sshd [19747]: fatal: Read from socket failed: Connection reset by peer

I tracerouted this IP and his 14 hops from me. Is the time stamp in his local time?

For some comments, here is my pf.conf that I copied from OpenBSD's FAQ page and with few facelifts:

# PF FILTERING RULESET
# DEFINING MY BSD'S MACROS
# rl0 = Realtek 8139, connected to ADSL
# dc0 = Linksys LNE 10/100Tx
# lan_net = local/internal network
# internet_services = 22 (ssh), 113 (Auth/Ident) for SMTP and IRC
# icmp_types = reply to ping echo request
# rfc_addresses = RFC 1918 addresses will be blocked from exiting & entering

ext_if = "rl0"
int_if = "dc0"
lan_net = "192.168.0.0/24"
internet_services = "{ 22, 113}"
icmp_types = "echoreq"
rfc_addresses = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

# OPTION
set block-policy return
set loginterface $ext_if

# SCRUB FRAGMENTED INCOMING PACKETS, DEFRAGMENT

scrub in all

# ENABLE INTERNAL NETWORK ADDRESS TRANSLATIONS

nat on $ext_if from $lan_net to any -> ($ext_if)

# REDIRECTION: ALLOW INT_NETWORK INTERNET FTP ACCESS

rdr on $int_if proto tcp from any to any port { 21, 2121 } -> 127.0.0.0 \
port 8021

# SETUP A DEFAULT DENY POLICY

block in all
block out all

# PASS TRAFFIC ON THE LOOPBACK INTERFACE IN EITHER DIRECTION

pass quick on lo all

# ACTIVATE SPOOFING PROTECTION FOR THE INTERNAL INTERFACE

antispoof quick for { lo, $int_if } inet

# RFC 1918 ADDRESSES WILL BE BLOCKED FROM EXITING & ENTERING

block drop in quick on $ext_if from $rfc_addresses to any
block drop out quick on $ext_if from any to $rfc_addresses

# OPEN PORTS FOR SERVICES DEFINED ABOVE TO BE AVAILABE TO THE INTERNET

pass in on $ext_if proto tcp from any to ($ext_if) \
port $internet_services flags S/SA keep state

# ALLOW ICMP TRAFFIC

pass in inet proto icmp all icmp-type $icmp_types keep state

# PASS TRAFFIC TO FROM INTERNAL NETWORK

pass in on $int_if from $lan_net to any keep state
pass out on $int_if from any to $lan_net keep state

# PASS OUT ALL TRAFFIC ON $ext_if

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

The log messages mean that someone, whose public IP address is 211.218.149.7, has tried to login through SSH to your machine, with the username of root. After ten attempts, they have (been) disconnected.

If no-one who should have access to your system has the IP address 211.218.149.7, then I'd consider disabling root logins in ssh.conf.

No, the time stamp is generated by syslog when the log message is written, so it willl be in your computer's local time, as returned by the command:

I just put that ssh remote login, I won't use it actually since I'm just practicing with OpenBSD. I will just disable root login as you suggested. Enway, hackers has nothing to find really important in my practice box, just the config files.

I asked about the time stamp because it seems that it's already 12:28 (00:28) AM in his place of Sept. 23, and we are still at Sept. 22 here, 6:50PM and it looks like that his ahead by almost 7 hrs.

Thanks!

An intruder would find a box quite suitable for common intrusive tasks, such as sending spam.

It could be that it's reporting in GMT, or that you have the wrong timezone set up.

I remembered that I set it up using Singapore time zone since we lying on the same zone with Singapore, Taiwan, Hongkong and Perth.

Spam....well you're right. Why I never think of that.

Tnx.

Edit /etc/ssh/sshd_config and make sure the line
PermitRootLogin
is set to no and does not have a # in front of it, then find the PID of the main sshd (using ps and grep) and send it a -HUP signal using the kill command. If you don't need to ever login to your box from outside your network, then you should remove 22 from internet_services and reload your PF rules.

K tnx!

Are these reports are also being logged on files? Where can it be found?

What intrusion detection is OBSD using?

And one more, if I want to immediately monitor incoming connections, what command will I have to execute? I just noticed the verbose after some minutes that the box has become idle, just like a screen saver.

OpenBSD is really great! Policing every connections and immediately reporting it verbosely.

Will it be possible seeing that via remote OBSD box?

It should be logged to /var/log/authlog

You can see connections in various states with
$ netstat -anf inet |grep -v LISTEN

You can also use
# pfctl -s state
if PF is enabled, this will show traffic that has matched PF rules and is in limbo or established.