RE: Is this normal?

["Andrew Shore" <andrew.shore () holistecs com>]

This is far too common.

A few simple security tips may help.

1. Do not allow root any remote access; create a user and su if you need
root privilege

2. Unless you need to access the firewall from the outside block ssh
traffic from the outside interface via the firewall software

I wouldn't be too worried if you are seeing this traffic blocked, its
when it gets through there's a problem.

Andy



-----Original Message-----
From: Erlend Lorentzen [mailto:er-lore () online no] 
Sent: 21 October 2004 18:49
To: security-basics () securityfocus com
Subject: Is this normal?


Hi

I'm not very experienced with this sort of thing so please bear with me.
The following concerns my Slackware 9.1 NAT/Firewall protecting my Home
LAN from the Internet.

Checking my logs today I was a bit surprised to find about 80 refused
connection attempts to my sshd during the last month like:
Oct  7 21:22:27 firewall sshd[9710]: refused connect from
xxx.xxx.xxx.xxx

I did reverse lookups on the IP's with dig and found that the attemts
originated from a variety of hosts from Italy, Polen, Russia, Sweden and
Pakistan to name but a few.

One particular host had tried connecting 19 times with just a few
seconds between tries (is he/she just trying different commonly used
passwords?)

Now to my questions:
Is this Normal?
Should I be concerned?
Any security tips, suggestions, thoughts? (I update regularly with
swaret (SlackwareTool), use strong random passwords, tcp wrappers)
Anyone know a good guide to hardening Slackware?
Anything else you'd like to mention?

Thanks, your help is much appreciated!

Best regards Erlend.