Okay Buddy, I just installed sshguard and have been reading and re-reading the man page and can't figure out how to look at the log file. Can you help me out? I was wondering.... how could I tell if a hacker got into my box? After looking around a little at https://help.ubuntu.com/community/SSH/OpenSSH/Configuring#Logging I found that for what I started this morning the log is: /var/log/auth.log I just looked at that log and was wondering what it meant. It starts on Feb 1st and seems to just be repeating: Feb 1 07:39:01 c521 CRON[21882]: pam_unix(cron:session): session opened for user root by (uid=0) Feb 1 07:39:01 c521 CRON[21882]: pam_unix(cron:session): session closed for user root Feb 1 07:50:33 c521 sudo: bmike1 : TTY=unknown ; PWD=/home/bmike1 ; USER=root ; COMMAND=/usr/lib/linuxmint/mintUpdate/checkAPT.py Feb 1 07:50:33 c521 sudo: pam_unix(sudo:session): session opened for user root by (uid=0) Feb 1 07:50:55 c521 sudo: pam_unix(sudo:session): session closed for user root Feb 1 08:09:01 c521 CRON[21985]: pam_unix(cron:session): session opened for user root by (uid=0) Feb 1 08:09:01 c521 CRON[21985]: pam_unix(cron:session): session closed for user root Feb 1 08:17:01 c521 CRON[22013]: pam_unix(cron:session): session opened for user root by (uid=0) Feb 1 08:17:01 c521 CRON[22013]: pam_unix(cron:session): session closed for user root Feb 1 08:20:33 c521 sudo: bmike1 : TTY=unknown ; PWD=/home/bmike1 ; USER=root ; COMMAND=/usr/lib/linuxmint/mintUpdate/checkAPT.py Feb 1 08:20:33 c521 sudo: pam_unix(sudo:session): session opened for user root by (uid=0) Feb 1 08:20:56 c521 sudo: pam_unix(sudo:session): session closed for user root Feb 1 08:39:01 c521 CRON[22100]: pam_unix(cron:session): session opened for user root by (uid=0) Feb 1 08:39:02 c521 CRON[22100]: pam_unix(cron:session): session closed for user root Feb 1 08:50:33 c521 sudo: bmike1 : TTY=unknown ; PWD=/home/bmike1 ; USER=root ; COMMAND=/usr/lib/linuxmint/mintUpdate/checkAPT.py --etc-- I then looked at the other logs in /var/log and saw ufw.log and ufw.log.1 . ufw.log is empty while ufw.log.1 contains only stuff from JAN 26 & 27: Jan 26 14:22:52 c521 kernel: [ 175.220626] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:fb:00:1c:c4:b4:d7:19:08:00 SRC=192.168.0.10 DST=224.0.0.251 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=11536 PROTO=2 Jan 26 14:22:55 c521 kernel: [ 178.348404] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:fb:00:1c:c4:b4:d7:19:08:00 SRC=192.168.0.10 DST=224.0.0.251 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=11553 PROTO=2 Jan 27 10:30:43 c521 kernel: [72646.275669] [UFW BLOCK] IN=eth0 OUT= MAC=00:18:8b:73:ab:fd:00:24:7b:2c:e9:3a:08:00 SRC=91.189.91.24 DST=192.168.0.14 LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=54164 DF PROTO=TCP SPT=80 DPT=59252 WINDOW=235 RES=0x00 ACK URGP=0 Jan 27 10:30:44 c521 kernel: [72647.435192] [UFW BLOCK] IN=eth0 OUT= MAC=00:18:8b:73:ab:fd:00:24:7b:2c:e9:3a:08:00 SRC=91.189.91.24 DST=192.168.0.14 LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=54362 DF PROTO=TCP SPT=80 DPT=59252 WINDOW=235 RES=0x00 ACK URGP=0 Jan 27 10:30:46 c521 kernel: [72648.723882] [UFW BLOCK] IN=eth0 OUT= MAC=00:18:8b:73:ab:fd:00:24:7b:2c:e9:3a:08:00 SRC=91.189.91.24 DST=192.168.0.14 LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=54637 DF PROTO=TCP SPT=80 DPT=59252 WINDOW=235 RES=0x00 ACK URGP=0 Jan 27 10:30:48 c521 kernel: [72651.308359] [UFW BLOCK] IN=eth0 OUT= MAC=00:18:8b:73:ab:fd:00:24:7b:2c:e9:3a:08:00 SRC=91.189.91.24 DST=192.168.0.14 LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=54687 DF PROTO=TCP SPT=80 DPT=59252 WINDOW=235 RES=0x00 ACK URGP=0 Jan 27 10:30:53 c521 kernel: [72656.476479] [UFW BLOCK] IN=eth0 OUT= MAC=00:18:8b:73:ab:fd:00:24:7b:2c:e9:3a:08:00 SRC=91.189.91.24 DST=192.168.0.14 LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=55145 DF PROTO=TCP SPT=80 DPT=59252 WINDOW=235 RES=0x00 ACK URGP=0 Jan 27 10:31:04 c521 kernel: [72666.796199] [UFW BLOCK] IN=eth0 OUT= MAC=00:18:8b:73:ab:fd:00:24:7b:2c:e9:3a:08:00 SRC=91.189.91.24 DST=192.168.0.14 LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=55407 DF PROTO=TCP SPT=80 DPT=59252 WINDOW=235 RES=0x00 ACK URGP=0 Jan 27 10:31:24 c521 kernel: [72687.436850] [UFW BLOCK] IN=eth0 OUT= MAC=00:18:8b:73:ab:fd:00:24:7b:2c:e9:3a:08:00 SRC=91.189.91.24 DST=192.168.0.14 LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=58810 DF PROTO=TCP SPT=80 DPT=59252 WINDOW=235 RES=0x00 ACK URGP=0 Jan 27 10:32:06 c521 kernel: [72728.780502] [UFW BLOCK] IN=eth0 OUT= MAC=00:18:8b:73:ab:fd:00:24:7b:2c:e9:3a:08:00 SRC=91.189.91.24 DST=192.168.0.14 LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=63010 DF PROTO=TCP SPT=80 DPT=59252 WINDOW=235 RES=0x00 ACK URGP=0 I just looked at the log. On the 26th it was blocking something from 192.168.0.10 . That is my home network! I haven't had 192.168.0.10 for at least a year. :-)~MIKE~(-: On Wed, Feb 4, 2015 at 2:44 PM, Todd Millecam wrote: > ufw should keep the rule permanent. > > There's a program/service that will keep track of this for you > automatically (and do the limit brute force, and block multiple failed > attempts) called sshguard. If you use that, you can see how many unique > IPs attempted to break into your system by reading your /etc/hosts.deny > file. > > For my public-facing servers, I get about 13 unique new attackers per day. > > > > On Wed, Feb 4, 2015 at 2:32 PM, Michael Havens wrote: > >> I was wondering.... I was playing bandit and on level 13 they say some >> suggested reading is https://help.ubuntu.com/community/SSH/OpenSSH/Keys >> . I was reasing that page and followed a link to >> https://help.ubuntu.com/community/SSH/OpenSSH/Configuring#Logging >> because I always wondered how I could see how many log in attempts were >> made to my computer (not that I think anyone will crack my password which >> is greater than ten characters. Wait a second.... I do not think I ever set >> an ssh password. ... >> guys, my websearch has proven to be fruitless. what do you suggest I do? >> >> in any case, I was looking at the settings for openssh.config (or >> whatever the file is called) and happened upon: >> >> Rate-limit the connections >> >> which happens to use ufw: >> >> sudo ufw limit ssh >> >> I was wondering if that command would turn it on permanently? After I >> entered the command it responded with something like 'new rule added' so I >> am assuming (I am not an ass!) that is so. >> >> I was wondering what should be changed? >> I am making loglevel Verbose >> :-)~MIKE~(-: >> >> >> --------------------------------------------------- >> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org >> To subscribe, unsubscribe, or to change your mail settings: >> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >> > > > > -- > Todd Millecam > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org > To subscribe, unsubscribe, or to change your mail settings: > http://lists.phxlinux.org/mailman/listinfo/plug-discuss >