# am I been hack ?

## reup

hello all,

I am not too good with security and was wondering if this means that the hacker succeeded in loggin in or not :

```
Sep  8 18:00:38 myhost sshd[25129]: SSH: Server;Ltype: Authname;Remote: 178.141.52.64-1981;Name: root [preauth]

Sep  8 18:00:38 myhost sshd[25129]: Received disconnect from 178.141.52.64: 11: Goodbye [preauth]

Sep  8 18:00:39 myhost sshd[25136]: SSH: Server;Ltype: Version;Remote: 178.141.52.64-2023;Protocol: 2.0;Client: libssh2_1.0

Sep  8 18:00:39 myhost sshd[25136]: SSH: Server;Ltype: Kex;Remote: 178.141.52.64-2023;Enc: aes256-cbc;MAC: hmac-sha1;Comp: none [preauth]

Sep  8 18:00:39 myhost sshd[25136]: SSH: Server;Ltype: Authname;Remote: 178.141.52.64-2023;Name: root [preauth]

Sep  8 18:00:39 myhost sshd[25136]: Received disconnect from 178.141.52.64: 11: Goodbye [preauth]

Sep  8 18:00:39 myhost sshd[25143]: SSH: Server;Ltype: Version;Remote: 178.141.52.64-2056;Protocol: 2.0;Client: libssh2_1.0

Sep  8 18:00:39 myhost sshd[25143]: SSH: Server;Ltype: Kex;Remote: 178.141.52.64-2056;Enc: aes256-cbc;MAC: hmac-sha1;Comp: none [preauth]

Sep  8 18:00:40 myhost sshd[25143]: SSH: Server;Ltype: Authname;Remote: 178.141.52.64-2056;Name: root [preauth]

Sep  8 18:00:40 myhost sshd[25143]: Received disconnect from 178.141.52.64: 11: Goodbye [preauth]

```

I do not know this hostname :

```
nslookup 178.141.52.64

Server:      4.2.2.4

Address:   4.2.2.4#53

Non-authoritative answer:

64.52.141.178.in-addr.arpa   name = dynamic-178-141-52-64.kirov.comstar-r.ru.

```

normally, ny host has only ssh http and ftp enable using iptables and I use denyhosts to protect against ssh attack

if someone could help me to interpret this, it would be great

thx

reup

----------

## roravun

No it does not. If someone broke in, you would see something like   *Quote:*   

> pam_unix(sshd:session): session opened

 

Try 'last' to see a list of past logins.

These messages are just sign of ssh bots bruteforcing your host. This happens to almost every machine connected to internet. (At least that is my experience). I strongly recommend you install sshguard, which can blacklist IPs, when it detects bruteforce attempt.

----------

## reup

thanks Roravun for your reply

 I use denyhosts, it also blacklist ips with 3 failed attend

I will try sshguard

thanks again, I will sleep better tonight

----------

## kimmie

reup,

Change the port you run ssh on, that will stop 99.99% of hack attempts. It's in /etc/ssh/sshdconfig... change "Port 22" to "Port <random>", where <random> is a port you pick randomly between 10000 and 65000, say. Then you can use "ssh -p <random>" from your clients.

Soon you will decide it's totally crap typing that at your clients instead of just "ssh", so you put it in ~/.ssh/config like this:

```

Host <all aliases you reach your host by>

# eg. Host homer homer.dyndns.org homer.lan

Port <random>

```

If you do that, and use public key identification instead of passwords, you can just forget about running denyhosts or whatever.

----------

## reup

thanks kimmie,

good advice

I am already using public key identification so it will be an easy move

----------

