It looks like I've been hacked.
I came home after being away for 3 days to find my system had been rebooted. I have other systems that were fine, so I knew it wasn't a power glitch. My systems don't reboot if the power comes on. I checked my logs and the reboot occured at about 11 PM on Friday.
Before that, for at least hours and possibly days, there were a lot of login attempts. Some from users named terrorist, some that trace to Iran. I checked the audit log and found this:
type=CRYPTO_KEY_USER msg=audit(1659374984.916:5741): pid=5877 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=session fp=? direction=both spid=5878 suid=74 rport=51686 laddr=192.168.2.5 lport=23 exe="/usr/sbin/sshd" hostname=? addr=156.251.130.170 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1659374984.917:5742): pid=5877 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=b3:4d:28:a2:ce:77:2a:f8:58:21:75:95:d1:08:6d:26 direction=? spid=5877 suid=0 exe="/usr/sbin/sshd" hostname=? addr=156.251.130.170 terminal=? res=success
It traces to Africa. And I run sshd on port 23. This is the only IP I've found successful logins from. So, I've added a reject rule to the firewall.
It is interesting the journalctl only reports failed logins from this IP since the reboot. Audit.log has the successes, but no timestamp. I'm not sure why there should be continued failures from this address.
And now, I've got to start cleaning up.
And redoing with better security. Sigh.
-Gary
_______________________________________________
Lug-nuts mailing list -- lug-nuts@bigbrie.com
To unsubscribe send an email to lug-nuts-leave@bigbrie.com