How can I tell if people have been scanning my computer?

#1 (**permalink**) 02-20-2008, 05:51 AM

Title just about says it. I have an open ssh port so that i can access
my machine. I'm wondering how to see if others have been trying to
access it.

#2 (**permalink**) 02-20-2008, 05:51 AM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

masked.slacker@gmail.com wrote:
> Title just about says it. I have an open ssh port so that i can access
> my machine. I'm wondering how to see if others have been trying to
> access it.
>
grep 'sshd' /var/log/messages
grep 'sshd' /var/log/syslog

- --
Lew Pitcher
IT Specialist, Enterprise Data Systems,
Enterprise Technology Solutions, TD Bank Financial Group

(Opinions expressed are my own, not my employers')
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)

iD8DBQFCMeLAagVFX4UWr64RAgG2AJ9C40pGinPeVumqf8xnPg mGXUw46QCgis8H
8a005yKxOWw9KdH8jlm1BkI=
=Blyh
-----END PGP SIGNATURE-----

#3 (**permalink**) 02-20-2008, 05:51 AM

On Friday 11 Mar 2005 18:20 masked.slacker@gmail.com, wrote:

> Title just about says it. I have an open ssh port so that i can access
> my machine. I'm wondering how to see if others have been trying to
> access it.

As root do

tail -f /var/log/messages | grep sshd

and you?ll see something like this

Mar 11 18:36:11 host sshd[3971]: Accepted password for root from
127.0.0.1 port 33518 ssh2

(The above is wrapped)
Control + C to exit the command.
If you want to see all the access attempts within the log, again as root,
do this
grep sshd /var/log/messages | less
q to quit command.
--
del 8-)

#4 (**permalink**) 02-20-2008, 05:51 AM

On 2005-03-11, Lew Pitcher <Lew.Pitcher@td.com> wrote:
>
> masked.slacker@gmail.com wrote:
>> Title just about says it. I have an open ssh port so that i can access
>> my machine. I'm wondering how to see if others have been trying to
>> access it.
>>
> grep 'sshd' /var/log/messages
> grep 'sshd' /var/log/syslog
>

I get no mention of sshd in syslog, am I missing something?
--
del 8-)

#5 (**permalink**) 02-20-2008, 05:52 AM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

del wrote:
> On 2005-03-11, Lew Pitcher <Lew.Pitcher@td.com> wrote:
>
>>masked.slacker@gmail.com wrote:
>>
>>>Title just about says it. I have an open ssh port so that i can access
>>>my machine. I'm wondering how to see if others have been trying to
>>>access it.
>>>
>>
>>grep 'sshd' /var/log/messages
>>grep 'sshd' /var/log/syslog
>>
>
>
> I get no mention of sshd in syslog, am I missing something?

Nope. It just means that no one has been trying to access your machine through ssh

- --
Lew Pitcher

Master Codewright & JOAT-in-training | GPG public key available on request
Registered Linux User #112576 (http://counter.li.org/)
Slackware - Because I know what I'm doing.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCMjsdagVFX4UWr64RArchAJ4m+dDTFotyb3fCzeGzcD K0ibhG5ACgk5mX
75i0Zs0BSzhiwI8GvXCGf1Y=
=Yfnw
-----END PGP SIGNATURE-----

#6 (**permalink**) 02-20-2008, 05:52 AM

On Saturday 12 Mar 2005 00:43 Lew Pitcher, wrote:

>> I get no mention of sshd in syslog, am I missing something?
>
> Nope. It just means that no one has been trying to access your machine
> through ssh

Nope, syslog is not logging sshd connections here, a pretty much standard
install of 10.1, either from the LAN or external connections. Have you
tweaked syslog.conf to do this for you?
--
del 8-)

#7 (**permalink**) 02-20-2008, 05:52 AM

del wrote in <1469075.VdA3NctORC@devnull.sig.org.uk>:

> On Saturday 12 Mar 2005 00:43 Lew Pitcher, wrote:
>
>>> I get no mention of sshd in syslog, am I missing something?
>>
>> Nope. It just means that no one has been trying to access your machine
>> through ssh
>
> Nope, syslog is not logging sshd connections here, a pretty much standard
> install of 10.1, either from the LAN or external connections. Have you
> tweaked syslog.conf to do this for you?

sshd logs fine on my standardish install of 9.1 upgraded to 10.0 with
various other packages.

#8 (**permalink**) 02-20-2008, 05:52 AM

On 2005-03-12, MikeyD <m_donaghy50@hotmail.com> wrote:
>>>
>>> Nope. It just means that no one has been trying to access your machine
>>> through ssh
>>
>> Nope, syslog is not logging sshd connections here, a pretty much standard
>> install of 10.1, either from the LAN or external connections. Have you
>> tweaked syslog.conf to do this for you?
>
> sshd logs fine on my standardish install of 9.1 upgraded to 10.0 with
> various other packages.

I get sshd logs in /var/log/messages but not in /var/log/syslog.
To the OP: Just as long as they're logged somewhere that's all that
counts!
--
del 8-)

#9 (**permalink**) 02-20-2008, 05:53 AM

On 2005-03-11, masked.slacker@gmail.com wrote:
> Title just about says it. I have an open ssh port so that i can access
> my machine. I'm wondering how to see if others have been trying to
> access it.

Portsentry-1.1 blocks scans and logs the source address of the scanner in
/etc/portsentry/portsentry.blocked. It used to be a www.psionic.com
project but since 2002 has been hosted at sourceforge.

http://sourceforge.net/projects/sentrytools.

Make sure that port 6000 tcp is unblocked in /etc/portsentry/portsentry.conf
if you use X on your machine. Put the address of the login host that you
ssh from in portsentry.ignore and block ssh port 22 in portsentry.conf.

hth,
kthmg.

#10 (**permalink**) 02-20-2008, 06:03 AM

masked.slacker@gmail.com wrote:
> Title just about says it. I have an open ssh port so that i can
access
> my machine. I'm wondering how to see if others have been trying to
> access it.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode