I had just got Arch up and running a couple weeks back, and I was following a random user's guide (previous Ubuntu user and newb to Linux in general)-- I think it may have been a mistake.

When I was configuring my iptables/ufw, I'd added a rule to iptables allowing ssh to be used from anywhere (I think so anyhow); it came up as something along the lines of 'ALLOW: IN : ANYWHERE: ssh 22' in red font on gufw. This had been open for about a few days, and I didn't realize the security risk until I learned what ssh is.

So is it likely that my system is compromised and needs a full hard drive wipe? hosts.deny remained in its default state, so wouldn't that override the iptables configuration or no? Could my router have kept any potential threats out like it has before despite the rule?

Sure. I mean, you're saying this box was behind a NAT router that was not configured to forward traffic to TCP port 22, right? If so, then your SSH daemon was never exposed to the Internet. That said, you can check /var/log/auth.log for evidence of remote login activity.

1 members found this post helpful.

Yes, I'm behind an NAT router and the router wasn't configured to allow access to port 22. I'd checked that before and didn't see anything unusual, but just to make sure I'll look over it once more. Thanks for the help.

If your system was updated for security updates and your root password was not something like "admin" there is little to worry.

Most servers exposed to the internet have port 22 open to allow access for the administrator. That is a lot worse as what you have.

Be sure however that root is not allowed SSH access, that users don't have and obvious password and that the root password is sufficiently secure.

Besides checking auth.log you could check if you machine is compromised with chrootkit or another root kit detection program.

jlinkels

No problem. Let us know if you find anything.