In my syslog (via Yast) I found the following entries: (020405B401010402) Mar 14 08:04:42 luke kernel: SFW2-INext-ACC-TCP IN=dsl0 OUT= MAC= SRC=218.153.147.92 DST=67.35.166.180 LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=41916 DF PROTO=TCP SPT=34654 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A032FB2830000000001030300) Mar 14 08:04:44 luke sshd[26285]: Invalid user test from ::ffff:218.153.147.92 Mar 14 08:04:45 luke kernel: SFW2-INext-ACC-TCP IN=dsl0 OUT= MAC= SRC=218.153.147.92 DST=67.35.166.180 LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=27312 DF PROTO=TCP SPT=34740 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A032FB3A50000000001030300) Mar 14 08:04:46 luke sshd[26287]: Invalid user guest from ::ffff:218.153.147.92 Mar 14 08:04:47 luke kernel: SFW2-INext-ACC-TCP IN=dsl0 OUT= MAC= SRC=218.153.147.92 DST=67.35.166.180 LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=61758 DF PROTO=TCP SPT=34796 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A032FB47A0000000001030300) Mar 14 08:04:49 luke sshd[26289]: Invalid user admin from ::ffff:218.153.147.92 Mar 14 08:04:49 luke kernel: SFW2-INext-ACC-TCP IN=dsl0 OUT= MAC= SRC=218.153.147.92 DST=67.35.166.180 LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=34621 DF PROTO=TCP SPT=34842 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A032FB54B0000000001030300) Mar 14 08:04:51 luke sshd[26291]: Invalid user admin from ::ffff:218.153.147.92 Mar 14 08:04:51 luke kernel: SFW2-INext-ACC-TCP IN=dsl0 OUT= MAC= SRC=218.153.147.92 DST=67.35.166.180 LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=17521 DF PROTO=TCP SPT=34909 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A032FB61C0000000001030300) Mar 14 08:04:53 luke sshd[26293]: Invalid user user from ::ffff:218.153.147.92 Mar 14 08:05:01 luke sshd[26301]: Invalid user test from ::ffff:218.153.147.92 Mar 14 08:08:20 luke kernel: SFW2-INext-DROP-DEFLT IN=dsl0 OUT= MAC= SRC=219.128.154.132 DST=67.35.166.180 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=40245 DF PROTO=TCP SPT=3984 DPT=9898 WINDOW=65044 RES=0x00 SYN URGP=0 OPT (0204058601010402) Mar 14 08:19:59 luke kernel: SFW2-INext-DROP-DEFLT IN=dsl0 OUT= MAC= SRC=218.83.155.77 DST=67.35.166.180 LEN=364 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF PROTO=UDP SPT=49964 DPT=1026 LEN=344 Mar 14 08:41:56 luke kernel: SFW2-INext-DROP-DEFLT IN=dsl0 OUT= MAC= SRC=222.88.173.5 DST=67.35.166.180 LEN=681 TOS=0x00 PREC=0x00 TTL=111 ID=62714 PROTO=UDP SPT=17219 DPT=1026 LEN=661 Mar 14 08:51:43 luke kernel: SFW2-INext-DROP-DEFLT IN=dsl0 OUT= MAC= SRC=12.6.153.198 DST=67.35.166.180 LEN=908 TOS=0x00 PREC=0x00 TTL=116 ID=13705 PROTO=UDP SPT=29582 DPT=1028 LEN=888 It appears that someone was trying to login on my system while it was connected to the 'Net. My real question is whether this indicates my defenses are working, or should I be looking elsewhere for that confirmation. There is no other activity recorded until 12:46 and I have not noticed any problems with my system. However, I also understand that wiley crackers will attempt to make themselves invisible and cover their tracks. I'm not wiley enough yet to get the really wiley ones. ;) I'm not in a state of panic, but do feel I need to spend more time understanding and applying the security monitoring stuff. Is this where Snort would be useful? Thanks for your input. Don -- evangelinux GNU Evangelist http://matheteuo.org/ http://chaddb.sourceforge.net/ "Free software is like God's love - you can share it with anyone anytime anywhere."