On 2020-02-21 11:53, home user wrote: > (on 02/20/2020 at 7:34pm mountain time, Frank said) > > Another suggestion, get Wireshark for sniffing traffic, > > run a sniffer trace as you are using the machine. You'll > > want to capture any IP (layer 3) traffic leaving or > > entering your machine (may want to setup filters to reduce > > capture size). This may be a way to start your analysis. > > > Disable any services (daemons) running on the machine that > > are not required with a listening port: > > sudo netstat -tulpn | grep LISTEN > > above will display listening ports > > This is at least a start > > Except for the netstat command, that went over my head. I have no training > in sysadmin and IT security. I'm a home user. I don't know how to do what > you suggest, or what to look for in the output. > > Output to the netstat command is the same as what I put in my earlier reply > to Ed. > > (my own idea) I tried wading through several thousand lines of journalctl > output. I couldn't even find my 2 logins since the last boot (late this > morning). I vaguely recall a few years ago stumbling onto large numbers of > hack attempts noted in journalctl output, but I don't remember what to look > for. >
I don't know how you've gone about identifying "hack attempts". But the "last" command should display all successful logins. Additionally, the "lastb" command would reveal failed logins. I do have one system configured to allow ssh connections from the Internet using only public-key authentication. I do so to watch attempts by "script-kiddies". The most recent attempts being... support ssh:notty 92.63.194.7 Fri Feb 21 09:45 - 09:45 (00:00) guest ssh:notty 92.63.194.108 Fri Feb 21 09:45 - 09:45 (00:00) ubnt ssh:notty 92.63.194.107 Fri Feb 21 09:45 - 09:45 (00:00) guest ssh:notty 92.63.194.106 Fri Feb 21 09:45 - 09:45 (00:00) test ssh:notty 92.63.194.104 Fri Feb 21 09:44 - 09:44 (00:00) admin ssh:notty 92.63.194.107 Fri Feb 21 09:44 - 09:44 (00:00) user ssh:notty 92.63.194.106 Fri Feb 21 09:44 - 09:44 (00:00) admin ssh:notty 92.63.194.105 Fri Feb 21 09:44 - 09:44 (00:00) admin ssh:notty 92.63.194.104 Fri Feb 21 09:44 - 09:44 (00:00) 92.63.194.107 being in Russia. :-) -- The key to getting good answers is to ask good questions. _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
