RE: Is this normal?

["Shawn Jackson" <sjackson () horizonusa com>]

> I'm not very experienced with this sort of thing so please 
> bear with me.

Seaming I don't know jack, please bear with me.

> Checking my logs today I was a bit surprised to find about 80 
> refused connection attempts to my sshd during the last month 
> like: Oct  7 21:22:27 firewall sshd[9710]: refused connect 
> from xxx.xxx.xxx.xxx

It's common. They are, most likely, automated scans trying to find
vulnerable OpenSSH systems. Remember to always keep it patched. Also I
recommend that if you know where you would be logging in from, i.e. from
work, etc, to explicitly deny everything and allow access to your known
login points.

> I did reverse lookups on the IP's with dig and found that the 
> attemts originated from a variety of hosts from Italy, Polen, 
> Russia, Sweden and Pakistan to name but a few.

Yep, it's time to kick them all off the Internet.

> One particular host had tried connecting 19 times with just a 
> few seconds between tries (is he/she just trying different 
> commonly used
> passwords?)

Automated system, yes, common passwords. Like guest, root with blank
pass, root with root, etc, etc.

> Is this Normal?

Yes.

> Should I be concerned?

Always.

> Any security tips, suggestions, thoughts? (I update regularly 
> with swaret (SlackwareTool), use strong random passwords, tcp 
> wrappers) Anyone know a good guide to hardening Slackware? 
> Anything else you'd like to mention?

First, use only Version 2 of SSH. Second firewall (Netfilter or
hardware) access to SSH, allow only the host/systems you know that you
will use to gain access to SSH. Third, deny root login from SSH,
remember to only use SU or limited sudo.

Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521

www.horizonusa.com
Email: sjackson () horizonusa com
Phone: (775) 858-2338
       (800) 325-1199 x338
Fax:   (775) 858-2330