# Attempt to hack me? Should I be worried?

## mark_lagace

I've been running a gentoo box as my household router, mail system, and some shared drive space for sharing files between my computer and my wife's for ... um... several years now. Can't remember when I started really, but that doesn't matter. I'm running a fairly basic iptables firewall that essentially blocks any incoming connections other than those to ports needed for smtp, ssh, and imaps. I'm also running failtoban watching for failed ssh logins. Generally I see a couple of ip addresses 'banned' each day for 3 failed login attempts on ssh. No doubt botnets out there pinging the world for open ssh ports and trying to add any poorly configured systems to their networks... Between 6:45pm last night and 10:27am this morning, however, I had 61 banned IPs. Checking the auth logs it's all failed attempts to ssh in as root.

Now I gone and toggled the "Permitrootlogin" flag for ssh back to "no" as I had forgotten to do so after the last upgrade.  :Embarassed:  Is there something else I should do? I don't see any obvious indication that someone managed to hack my system although realistically if someone gets root access they can hide very effectively. I find it hard to believe a serious 'hacker' would attempt to brute-force my root password though and am wholly sure that few hundred or even few thousands tries at it is nowhere near enough to succeed. That said, I don't know what to think about the sudden spike in attempts to 'ssh' my gentoo box. Any ideas?

----------

## John R. Graham

Yes. Disable password based login over SSH and set up RSA key authentication in its stead.

Incidentally, I see several of these per week. If your server is visible at a static IP address for any amount of time, it seems to be discovered. I used to report them all to the abuse email address as reported by whois but each one seems to come from a different place.

- John

----------

## mark_lagace

I have RSA key authentication for my machines, but password based login is just handy to have when I'm away from my own computer(s). I'm not overly concerned about the 8-10 attempts I usually see per week but I'm just trying to understand the sudden spike. I might just go and switch SSH to a different port for a while if the 'bombardment' resumes.

----------

## John R. Graham

Your choice, of course. Security is inversely proportional to convenience.   :Wink: 

- John

----------

