Had one Fedora 32 machine that has the ssh port open. the /var/btmp file was showing a number of lines with the ssh:nottyroot line followed by various different IP addresses.
Can stop the sshd service that the btmp file stops growing.
Use to use denyhosts on systems, but it seems to have been removed. The old denyhost would add blocked ipaddresses to stop these sites? Know that root is not allowed to login ssh by default, so are these lines just saying attempts had been blocked.
Have vsftpd setup to use passive ports, so blocking port 22 would not be a big deal. But just seeing the btmp file grow seems to show wasted bandwidth if not showing an issue.
Is it an issue or not??
Thanks.
+------------------------------------------------------------+ Michael D. Setzer II - Computer Science Instructor (Retired) mailto:mikes@guam.net mailto:msetzerii@gmail.com Guam - Where America's Day Begins G4L Disk Imaging Project maintainer http://sourceforge.net/projects/g4l/ +------------------------------------------------------------+
On Sat, 26 Sep 2020 18:00:39 +1000 "Michael D. Setzer II via users" users@lists.fedoraproject.org wrote:
Had one Fedora 32 machine that has the ssh port open. the /var/btmp file was showing a number of lines with the ssh:nottyroot line followed by various different IP addresses.
Can stop the sshd service that the btmp file stops growing.
Use to use denyhosts on systems, but it seems to have been removed. The old denyhost would add blocked ipaddresses to stop these sites? Know that root is not allowed to login ssh by default, so are these lines just saying attempts had been blocked.
Have vsftpd setup to use passive ports, so blocking port 22 would not be a big deal. But just seeing the btmp file grow seems to show wasted bandwidth if not showing an issue.
Is it an issue or not??
I think not, but am not sure, since my knowledge of this is limited. I'm also not sure why denyhosts was dropped from Fedora, so it might be meaningless to run it if it has been replaced by another mechanism (systemd?), but you can go here, https://koji.fedoraproject.org/koji/buildinfo?buildID=1130378 and download the F29 rpm and install it on your system. The version there is the same as the latest version from upstream, https://sourceforge.net/projects/denyhosts/files/
It might be that the upstream project is not being developed anymore, so it was dropped from Fedora, but it could also be that the package maintainer orphaned it and no one picked it up.
The other possibilities are that fail2ban or tcp_wrappers might have a means of doing what you want. Someone else here might be able to confirm or deny that.
On Sep 26, 2020, at 04:01, Michael D. Setzer II via users users@lists.fedoraproject.org wrote:
Use to use denyhosts on systems, but it seems to have been removed. The old denyhost would add blocked ipaddresses to stop these sites? Know that root is not allowed to login ssh by default, so are these lines just saying attempts had been blocked.
Have vsftpd setup to use passive ports, so blocking port 22 would not be a big deal. But just seeing the btmp file grow seems to show wasted bandwidth if not showing an issue.
Is it an issue or not??
It means your ssh port is open and you are constantly being scanned, so blocking ssh from everywhere except trusted networks would be ideal.
DenyHosts used to just add to /etc/hosts.deny (hence the name) which isn’t used anymore by sshd. It looks like it supports iptables too, but it’s better to use fail2ban, which supports firewalld, uses ipsets or nftables, and is considerably faster. It supports reading the journal too so if you don’t want to use syslogd or send your log traffic off-host, it still works. Since you have vsftpd, it can also logs for it too.
-- Jonathan Billings billings@negate.org
On 26 Sep 2020 at 6:26, stan via users wrote:
Date sent: Sat, 26 Sep 2020 06:26:03 -0700 To: users@lists.fedoraproject.org Subject: Re: /var/btmp with ssh:nottyroot Organization: zohofree Send reply to: Community support for Fedora users users@lists.fedoraproject.org From: stan via users users@lists.fedoraproject.org Copies to: stan upaitag@zoho.com
On Sat, 26 Sep 2020 18:00:39 +1000 "Michael D. Setzer II via users" users@lists.fedoraproject.org wrote:
Had one Fedora 32 machine that has the ssh port open. the /var/btmp file was showing a number of lines with the ssh:nottyroot line followed by various different IP addresses.
Can stop the sshd service that the btmp file stops growing.
Use to use denyhosts on systems, but it seems to have been removed. The old denyhost would add blocked ipaddresses to stop these sites? Know that root is not allowed to login ssh by default, so are these lines just saying attempts had been blocked.
Have vsftpd setup to use passive ports, so blocking port 22 would not be a big deal. But just seeing the btmp file grow seems to show wasted bandwidth if not showing an issue.
Is it an issue or not??
I think not, but am not sure, since my knowledge of this is limited. I'm also not sure why denyhosts was dropped from Fedora, so it might be meaningless to run it if it has been replaced by another mechanism (systemd?), but you can go here, https://koji.fedoraproject.org/koji/buildinfo?buildID=1130378 and download the F29 rpm and install it on your system. The version there is the same as the latest version from upstream, https://sourceforge.net/projects/denyhosts/files/
It might be that the upstream project is not being developed anymore, so it was dropped from Fedora, but it could also be that the package maintainer orphaned it and no one picked it up.
The other possibilities are that fail2ban or tcp_wrappers might have a means of doing what you want. Someone else here might be able to confirm or deny that.
Thanks for the reply. I did install the fail2ban and enabled it, but when I restarted the sshd I was seeing the same exact things in btmp. Ended up just blocking incoming port 22 on the router. Had 21 and 22 setup for ftp access, but since ftp has passive ports setup anyway, no need to have it open. Have 5 computers on home private network that can use port 22.
Usually use vnc to access machine, but Fedora has also just dropped vncserver program from latest update, and now wants to force running it via systemd?? Just downgrade to last version that worked, and blocked it from being updated at the moment..
Deny host was interesting, and you could check out the hosts.deny file and see what IPs where trying to break in. The /var/log/btmp file lists the stuff, but it isn't a text file, and shows repeated attempts.
Thanks again. Be Safe.
users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
+------------------------------------------------------------+ Michael D. Setzer II - Computer Science Instructor (Retired) mailto:mikes@guam.net mailto:msetzerii@gmail.com Guam - Where America's Day Begins G4L Disk Imaging Project maintainer http://sourceforge.net/projects/g4l/ +------------------------------------------------------------+
On 2020-09-27 06:52, Michael D. Setzer II via users wrote:
The /var/log/btmp file lists the stuff, but it isn't a text file, and shows repeated attempts.
The "lastb" command can be used to display the file in human readable form.