Hi, i was checking the logs today (/var/log/messages)
and i found this:
the logs repeat a lot, the only thing what change are <ip> and <user>, is someone trying to hack me??, if so am i safe?? or should i do something else to prevent be hacked? O.o

(i remplaced user name for <user> ip address for <ip> and host name for <host name>)

thanks.

Yes, some loser is trying to break into your system.
If you need ssh for remote access from unknown IP addresses, try moving ssh to a different port.
If ssh will only be used from known addresses, then block all others.
If ssh will only be used from the LAN, then block all other addresses.
You may also set up sshd_config to not allow 'root' to log in.

There are several ways to lessen your risk. First would be to not allow directly connecting as root. You can also restrict access to specific users or groups and force the use of keys instead of passwords. Some people recommend running the daemon on another port but that won't stop someone who scans your open ports. The settings to use in /etc/ssh/sshd_config would be:

Doesn't Slackware come defaulted to running the ssh daemon? You have to untick it during the installation?

Bad, bad idea.... 90% of desktop users don't even use ssh to hit another machine much less want their box open... I've always thought that default needed to go away. A lot of people won't catch it (or know what it is in the first place) right after installation and it just creates a big security hole.

If you don't plan on connecting to your computer via ssh from another computer, then disable it.

chmod 644 /etc/rc.d/rc.sshd

or whatever the script is called.

This is very probably one of a multitude of botnet attempts to get access. (Yes, that is classified as hacking.) I sometimes get 1000 a day of these. So long as your password is hard to guess, you are pretty safe. You will increase your odds by making it impossible to log in as root directly, and by making sure that you don't have any random users with shell access (the /etc/passwd file will have /sbin/nologin as the last field of each line for daemon users, who are there only so that they can have a userID). There are other, more complex countermeasures you can take, but there is a diminishing return on that investment.

thanks for your advice, for now i decide to disabled ssh daemon since i really don't need it.
btw i was checking /etc/passwd and there are an user called 'operator'(on root group), can i delete this user or is neccesary?

I would leave that user defined. It is a standard userID, and I am not sure what would break if it were undefined. On my systems, that userID does have /sbin/nologin as the last parameter on the line in /etc/passwd

I disable ssh when I install Slackware as I'm not running servers on my 12.1 boxes. You could try scanning your unit for rootkits, that may give another clue as to whether or not your unit has been penetrated.

http://slackbuilds.org/repository/12.1/system/rkhunter/

Hi,

I would make sure that you have a 'STRONG' password. You could use a 'key' that would be secure way to login.

If you do end up needing to use SSH, i would recommend using "Denyhosts" for added protection. i use to have many attacks a day but in the end i had a huge /etc/hosts.deny list and that cut m traffic considerably.Not to mention that you also receive the IP addresses to be added from other hack attempts (some 27000+ ip addresses) that are auto added to /etc/hosts.deny. I used it and loved it.

I say the best way is to keep the ssh daemon running only when you need it. I don't even install ssh, because I almost never use it.

If you only need to use ssh from your LAN and not across the internet, you can always use /etc/hosts.allow and /etc/hosts.deny to block everyone except those on your network. My hosts.deny file just blocks ALL : ALL, while my hosts.allow file allows only those on my network (192.168.0.). I also have a router with a firewall. I'm definitely not 100% secure, but although I may see some hacking attempts on my router, I never see them on my PC. It's a simple yet effective solution. In addition, using Alien Bob's adaptation of the Easy Firewall Generator is a good idea as well.

Feel free to point out any flaws in my logic -- it would just mean I would change my security settings (and I'm sure would help everyone in the long run).

Well unfortunately in my situation i did not have the ability to have both machines in 1 place. (Server at my dad's, main at my mom's) also since the server was also running an FTP server i couldn't just do an ALL:ALL rule for hosts.deny.

As for flaws in your logic, for your current situation and need there are none, and your solution is probably the most secure way to go about it if the PC is going to be used as a LAN server instead of an internet one.

Fair enough.

Is there a tool to wrap ssh in that will deny an ip after 'x' failed login attempts?