I checked my logs this morning and everything appears much better. I also solved my lastlog problem.
I made some modifications to ssh and su (wheel group access only). I will read up on iptables.
I agree that it was probably an automated attack probe looking for common usernames and passwords. While I have a couple of common user names, the passwords are not (I love creating wierd passwords - just ask my peers who groan out loud everytime I give them a new one!).
Thanks again,
Jon
You can also use iptables to restrict access to port 22, btw. You could combine this with tcpwrappers and have "security in layers." Hell, modify your sshd config file and further restrict access there too.
As for the attempted logins you're seeing in your secure.log file, I have 11 Linux servers that are hit daily by these attempts. It's a scripted attack that seems to wax and wain periodically. I wouldn't be too concerned about it. Sure keep an eye on your log files, check them every day. And be sure you've got good complex passwords on your accounts.
What you've seen is pretty mundane. It's not a hack... yet. It is an attempt to hack using common account names and passwords.
-- Dave Hull http://insipid.com