On Thu, 29 Jun 2017 22:28:28 -0000
"William Mattison" <mattison.computer(a)yahoo.com> wrote:
Good afternoon,
(f25 home workstation)
While looking at journalctl output yesterday and today for other
reasons (separate thread), I saw many "authentication failure"
messages, over half also saying "user=root". I also saw many
"password check failed for user (root)" messages. I saw many unknown
user login attempts, and a few invalid user login attempts, and some
attempts using one of the valid regular user names. Why? I am not
yet good at reading journalctl output, so I don't know if these
connection attempts are coming from "outside" or within this system.
I don't know if I should be concerned or not. I do not intend anyone
or anything to be able to get in to this system except for things
that I initiate (examples: Firefox activity, Thunderbird activity,
"dnf upgrade", installs, etc.). And it doesn't make sense to me that
any of those would be trying to log in to this system to do what I
want. I also don't see why anything on this system would try to log
in to this same system except me personally (su, sudo, and actual
logins). I am the only actual user.
What's going on? How do I determine where they're coming from? Is
there really someone or something trying to hack in? If no, what
really is going on?
I'd say someone is trying to target your system. I used to see a lot
of this kind of thing, except it was targeted against known window's
exploits. I wonder if your windows installation was compromised, and
they then found that you run linux, and are now trying to break into
your linux box. Or they could just have searched for sshd responses,
and then targeted them.
Is your access wired or wireless? I think wireless access points are
public, so your neighbors will be able to find it. I don't know enough
about wireless to know whether they can then initiate attacks against
your system.
If your access is wired, do you have a router? That can provide a
hardware barrier to these kinds of attacks, a good first line of
defense.
Have you got all internet services turned off? You should for sure
disable sshd since there is no reason for anyone to remotely access
your computer.
systemctl stop sshd
systemctl mask sshd
Same with httpd, if it is running in some flavor, you don't need a web
server.
Have you got a strong root password?
A strong user password?
Make sure that /etc/firewalld/firewalld.conf has zone set to public.
Have you hardened your browser with privacy and security settings?
This is a big topic, it will take a lot of research on your part to
understand and feel comfortable with your security, if you choose to
go there. But the above should harden you to a point where it will be
difficult to exploit you.