I'd look into setting up fail2ban, it hasn't failed me yet. (Even if this wasn't an intrusion, better safe than sorry)

On Dec 16, 2012 3:59 PM, "David Coutu" <cout@alum.wpi.edu> wrote:
Well Bill, not knowing much about your home network topology/architecture (routing, firewall, NAT/port-forwarding, ISP, dynamic DNS etc.), or how you SSH into your Linux box (i.e. through a public external IP/FQDN or through a private local IP/FQDN) limits how best to answer this, but I'll make some various assumptions along the way....

I'll agree with Theo tho, it's a Comcast address, not an AOL one when you do a reverse lookup on '24.91.141.172'.  If you run 'last' with a couple different flags, it will present the IP/host in their entirety since it will place it in the last column, with either the FQDN of the IP, or just the IP.

Ex.

#> last -a   (or 'last -ad' for that matter)
userxx     pts/0        Sat Dec 15 20:45 - 21:18  (00:32)     c-24-91-141-172.hsd1.ma.comcast.net

#> last -ai
userxx     pts/0        Sat Dec 15 20:45 - 21:18  (00:32)     24.91.141.172

If Comcast is your ISP, then there is a topology where this would just be you, but I'm pretty sure you'd know that it was yourself since it takes some effort to setup.  You'd have to be doing NAT'ing/Port-Forwarding on your cable modem or router for the SSH port to your Linux box, and ssh'ing into your Linux box on that external address (which would probably get associated with dynamic DNS updates from the router/modem) from your local net.  Since you were taking that route, you'd get NAT'd to the router/cable modem's external IP (or a global NAT IP you have configured to present to the internet for outbound connections), which would show up in the 'last' output as that IP/FQDN of that IP.

Are you ssh'ing into your Linux box on it's internal LAN IP or at it's external public IP?  What IP gets reported back to you when you go to http://whatismyip.com from the box you ssh into your linux box from?  Like I said initially, I'm pretty sure you'd know your network and system set up, and would know if this was actually you are not.

Now all of this is completely moot if your ISP isn't Comcast.  And from looking at your email headers, I see a few hops of yours mills-curran.net (206.130.122.207) & cheapo.curran (pool-108-20-153-93.bstnma.fios.verizon.net [108.20.153.93]), which obviously aren't Comcast.

FWIW, my best practice is to implicitly deny all SSH connections and explicitly allow only the ones I want in /etc/hosts.allow.  Makes it a PITA when I'm on a new network for the first time, but it definitely adds another layer someone has to work around to get in.  If you block 24.91.141.172 in your hosts.deny, do you get 'refused connect from c-24-91-141-172.hsd1.ma.comcast.net (24.91.141.172)' messages in /var/log/secure (or the Debian equivalent, I think that's what you are running based on some of the mail headers).

Dave


Date: Sun, 16 Dec 2012 13:34:06 -0500
From: iris.gates@gmail.com
To: wlug@mail.wlug.org
Subject: Re: [Wlug] Possible intrusion?

Output of last here reports my own static internal IP address. It's a 192.__._.__ number.

Output of last on friend's laptop here reports a whole bunch of stuff (bootups &etc) but no IP address at all.

Third PC here has custom Debian install, and there is no output for last.  Whatever package it's in is not installed, I guess.

We are not wireless. Running through my router, my modem, Charter ISP.

Liz J
 
On 12/16/2012 12:16 PM, Theo Van Dinter wrote:

I'm not sure why you're looking up a 172 IP address. The output is a host name not an IP.  c-24-91-141-173.hsd1.ma.comcast. net.  Is this your cable modem?



_______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug

_______________________________________________
Wlug mailing list
Wlug@mail.wlug.org
http://mail.wlug.org/mailman/listinfo/wlug