Re: Is this normal?

It's not necessarily unusual. Someone is scanning for open ports and such and
is attempting to come in. One thing you might consider is having your SSH
daemon shutdown when you know you won't be using it. Using cron might be a
consideration for this. A thought.

--
<<JAV>>

---------- Original Message -----------
From: Erlend Lorentzen <er-lore@online.no>
To: security-basics@securityfocus.com
Sent: Thu, 21 Oct 2004 19:48:57 +0200
Subject: Is this normal?

> Hi
>
> I'm not very experienced with this sort of thing so please bear with 
> me. The following concerns my Slackware 9.1 NAT/Firewall protecting 
> my Home LAN from the Internet.
>
> Checking my logs today I was a bit surprised to find about 80 refused
> connection attempts to my sshd during the last month like:
> Oct  7 21:22:27 firewall sshd[9710]: refused connect from
> xxx.xxx.xxx.xxx
>
> I did reverse lookups on the IP's with dig and found that the attemts
> originated from a variety of hosts from Italy, Polen, Russia, Sweden 
> and Pakistan to name but a few.
>
> One particular host had tried connecting 19 times with just a few
> seconds between tries (is he/she just trying different commonly used
> passwords?)
>
> Now to my questions:
> Is this Normal?
> Should I be concerned?
> Any security tips, suggestions, thoughts? (I update regularly with
> swaret (SlackwareTool), use strong random passwords, tcp wrappers)
> Anyone know a good guide to hardening Slackware?
> Anything else you'd like to mention?
>
> Thanks, your help is much appreciated!
>
> Best regards Erlend.
------- End of Original Message -------