Good afternoon,
(f25 home workstation)
While looking at journalctl output yesterday and today for other reasons (separate
thread), I saw many "authentication failure" messages, over half also saying
"user=root". I also saw many "password check failed for user (root)"
messages. I saw many unknown user login attempts, and a few invalid user login attempts,
and some attempts using one of the valid regular user names. Why? I am not yet good at
reading journalctl output, so I don't know if these connection attempts are coming
from "outside" or within this system. I don't know if I should be concerned
or not. I do not intend anyone or anything to be able to get in to this system except for
things that I initiate (examples: Firefox activity, Thunderbird activity, "dnf
upgrade", installs, etc.). And it doesn't make sense to me that any of those
would be trying to log in to this system to do what I want. I also don't see why
anything on this system would try to log in to this same system except me personally (su,
sudo, and
actual logins). I am the only actual user.
What's going on? How do I determine where they're coming from? Is there really
someone or something trying to hack in? If no, what really is going on?
Most important,
How do I prevent connections from outside?
thanks,
Bill.