0

I just ran netstat -vatn and found there was a connection ESTABLISHED on :22 from my ip and another unknown ip. Moments later I ran it again and found the connection was gone.

I have a default installation of openssh-server-5.3 that runs on port 22. I just installed this server and have not given out any access to anyone. Wouldn't this mean someone has just accessed my server?

N0M3
  • 115
  • 1
  • 6

2 Answers2

2

Yes, but that doesn't mean he was able to login.
It was probably someone trying to login with common passwords.
Even for trying to login the connection needs to be established of course.

Check /var/log/secure for more information.

faker
  • 17,326
  • 2
  • 60
  • 69
  • i just seen another one, different ip this time – N0M3 Apr 29 '14 at 15:21
  • 1
    @N0M3 It's general network noise of passing scanners and things of the sort. If you're secure, then no need to worry. – Nathan C Apr 29 '14 at 15:23
  • ive just started `securing` or learning about `securing`, from what i can see here i would think my first step would be to create a new `root` account with a different name than `"root"` and deleting '"root"' then moving my `ssh` server to a different `port`! – N0M3 Apr 29 '14 at 15:35
  • well maybe not deleting root account, looks like that may cause some issues i do not fully understand yet – N0M3 Apr 29 '14 at 15:56
  • @N0M3 Checkout http://serverfault.com/questions/4188/preventing-brute-force-attacks-against-ssh for a start. Disabling SSH access for the `root` user is a very good start. Using key authentication as well. Don't rename/delete/disable the `root` user though. – faker Apr 29 '14 at 16:13
  • ya, read that some system resources may refer to the root account in order to process correctly, so until i fully understand "what" is accessing root best to stay away from removing it. – N0M3 Apr 29 '14 at 16:34
2

I can see from your post history that you are attempting to install a secure Linux server and I sense you are not very experienced with this stuff.

My first tip is: take a deep breath, remain cool. Even if you see some scary warning messages in the logs, the chances are that they are just that, warnings. Many, many, MANY Linux servers are already running in the interwebz. The days of simple hacks where a default installation would be 0wn3d in seconds are long gone. CentOS, by default, is very secure unless you made something really stupid, such as allowing ssh root logins and setting up the password to be password or equivalently simple.

My second tip is: all kinds of port scans/ssh login attempts/www weakness attempts/whatever are tried all the time. Attackers and botnets are doing that en masse, ignoring the protected targets and utilizing the vulnerable ones. I'm confident your default CentOS installation is safe enough, but of course you can see your /var/log and look out for suspicious lines. Again, lines such as POSSIBLE BREAK-IN ATTEMPT are not the end of the world, just a warning.

My third tip is: should you have any questions, please post them there with enough detail. A question with only a couple of lines is impossible to answer. We are gurus, yes, but not mentalists or psychics.

Janne Pikkarainen
  • 31,454
  • 4
  • 56
  • 78