[NBLUG/talk] Am I under attack?

Aaron Grattafiori aaron at digitalinfinity.net
Wed Jan 28 22:53:16 PST 2015


Hi Roger,

Yes they are. If you don't use VNC, I would configure your upstream network
to block inbound connections (NAT should do this for you indirectly).

If you don't have an upstream router, ufw can easily be setup to default
deny all.

If you use VNC to remote in... I would not have it listen externally but
use SSH to forward to it- only exposing SSH outside or look into Xpra (I
think that's what it's called). If you go the SSH route, you'll want to
make sure you're using keys or at least good passwords (and a non-standard
port to cut down on logspam/brute force attempts).

Take care,

-Aaron

PS. Miss the NBLUG days, hope all my old friends and co-lug-ers are doing
well.
On Jan 28, 2015 2:01 PM, "Roger House" <rhouse at sonic.net> wrote:

> By chance I noticed that the file .xsession-errors.old in my home directory
> (I'm running Ubuntu 12.04) was more than a gigabyte in size.  A few grep's
> on
> the file produced lines like these
>
>     28/01/2015 06:27:07 AM rfbAuthPasswordChecked: password check failed
>     debconf: DbDriver "passwords" warning: could not open
> /var/cache/debconf/passwords.dat: Permission denied
>
> There were other ominous looking messages which I can't reproduce at the
> moment because apparently each time my system comes up, the current
> .xsession-errors.old is deleted, .xsession-errors is renamed to
> .xsession-errors.old,
> and a new .xsession-errors is started.  Anyway, there were thousands of
> lines
> like the two above, plus others.
>
> Actually, now that I have brought my system up again, here is a sample of
> what appears
> in .xsession-errors almost immediately:
>
> ** (vino-server:2183): WARNING **: Deferring authentication of
> '74.208.225.179' for 5 seconds
> ** (vino-server:2183): WARNING **: VNC authentication failure from
> '74.208.225.179'
> 28/01/2015 06:03:14 AM rfbAuthPasswordChecked: password check failed
> 28/01/2015 06:03:53 AM [IPv4] Got connection from client
> static-164-148-4-96.hardin.tn.ena.net
> 28/01/2015 06:03:53 AM   other clients:
> 28/01/2015 06:03:53 AM      74.208.225.179
> 28/01/2015 06:03:53 AM Client Protocol Version 3.3
>
> Do these indicate attempts to break into my system?
>
> A recent change to my system:  Last week I installed apache in order to do
> local web
> development.  Can this have led to the above messages?  I am new to apache
> so I'm
> wondering if there are config files which I need to edit to prevent
> successful attacks.
>
> Any info will be appreciated.
>
> Roger House
>
>
> _______________________________________________
> talk mailing list
> talk at nblug.org
> http://nblug.org/cgi-bin/mailman/listinfo/talk
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nblug.org/pipermail/talk/attachments/20150128/33c6f950/attachment.html>


More information about the talk mailing list