LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 11-15-2010, 10:48 AM   #1
Blueleaf
LQ Newbie
 
Registered: Nov 2010
Posts: 2

Rep: Reputation: 0
Question New to Linux, Getting a logwatch email about Possible Break In Attempt


Hi everyone,
I am new to Linux and I have a dedicated server running centOS, Pleask 9.2 and I have a received a logwatch email talking about a Possible Break In Attempt.

Can anyone help me out and let me know what I can do to increase security?
I saw a post about changing the sshd port, but I don't know if this is a good idea or not.
Any tips or suggestions would be great.


Here is the logwatch

--------------------- pam_unix Begin ------------------------

sshd:
Authentication Failures:
root (186.83.37.19): 219 Time(s)
root (186.36.144.229): 216 Time(s)
root (190.218.187.184): 156 Time(s)
root (89.175.254.190): 22 Time(s)
root (gate.fly-net.ru): 2 Time(s)
unknown (gate.fly-net.ru): 2 Time(s)
unknown (89.175.254.190): 1 Time(s)
Invalid Users:
Unknown Account: 3 Time(s)


---------------------- pam_unix End -------------------------


--------------------- SSHD Begin ------------------------


Failed logins from:
89.175.254.190: 22 times
91.203.224.20 (gate.fly-net.ru): 2 times
186.36.144.229: 216 times
186.83.37.19 (Dynamic-IP-186833719.cable.net.co): 219 times
190.218.187.184 (cpe-001e3348a527.cpe.cableonda.net): 156 times

Illegal users from:
89.175.254.190: 1 time
91.203.224.20 (gate.fly-net.ru): 2 times


Received disconnect:
11: Bye Bye : 26 Time(s)
11: Goodbye : 591 Time(s)

**Unmatched Entries**
pam_succeed_if(sshd:auth): error retrieving information about user asis : 1 time(s)
reverse mapping checking getaddrinfo for dynamic-ip-186833719.cable.net.co failed - POSSIBLE BREAK-IN ATTEMPT! : 219 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user shit : 1 time(s)
Address 190.218.187.184 maps to cpe-001e3348a527.cpe.cableonda.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! : 156 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user administrador : 1 time(s)

---------------------- SSHD End -------------------------


Thank you for your help
 
Old 11-15-2010, 11:46 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
Quote:
Originally Posted by Blueleaf View Post
I have a received a logwatch email talking about a Possible Break In Attempt.
The "Address X maps to Y, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT" means the hostname does not match with what the IP address resolves to. Seldom related to spoofing these days, more commonly bad DNS (PTR) record management.


Quote:
Originally Posted by Blueleaf View Post
Can anyone help me out and let me know what I can do to increase security?
I saw a post about changing the sshd port, but I don't know if this is a good idea or not.
Read the complete Failed SSH login attempts thread please.


Quote:
Originally Posted by Blueleaf View Post
I am new to Linux and I have a dedicated server running centOS, Pleask 9.2
Please note that being able to run a web-based server management panel does not make one knowledgeable or an "admin" overnight. Please invest time to learn and practice.
 
Old 11-15-2010, 12:15 PM   #3
Blueleaf
LQ Newbie
 
Registered: Nov 2010
Posts: 2

Original Poster
Rep: Reputation: 0
Thank you,
I am looking at the following from the Failed SSH link you posted.

Quote:
Make use of the AllowUser, DenyUser tags in sshd_config. Make sure you list exactly who should and who should not
login. IMO, never, ever allow root.

sshd_config:

Code:
# Explicitly set who can and who can not login by way of ssh
AllowGroups users
AllowUsers tom joe harry

# Everything that isn't above
DenyGroups root bin daemon sys adm tty disk lp mem kmem wheel floppy mail news uucp man games slocate utmp smmsp mysql rpc sshd shadow ftp nogroup console xcdwrite

DenyUsers root bin daemon adm lp sync shutdown halt mail news uucp operator games ftp smmsp mysql rpc sshd nobody test guest user admin apache www wwwrun httpd irc
How would I be able to access the sshd_config file if I disable the root? My user isn't able edit or modify that file?
 
Old 11-15-2010, 01:04 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
Quote:
Originally Posted by Blueleaf View Post
How would I be able to access the sshd_config file if I disable the root? My user isn't able edit or modify that file?
Disabling root login over the network is a security best practice. It doesn't restrict you from doing damage working as usual. As root install sudo and then edit /etc/sudoers (using visudo, not a text editor!). After disabling root SSH login you log in as unprivileged user and then perform tasks as root using sudo.

Last edited by unSpawn; 11-15-2010 at 01:05 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
reverse mapping checking getaddrinfo for ... failed - POSSIBLE BREAK-IN ATTEMPT eteck Linux - Server 1 08-29-2010 11:02 AM
Break-In attempt on www.centos.org unSpawn Linux - Security 0 07-08-2009 07:16 PM
logwatch email notification sachin1361 Linux - Enterprise 5 05-29-2008 08:52 AM
Possible Break In Attempt stlyz3 Linux - Security 2 08-05-2005 10:37 AM
Logwatch can't email me soren625 Linux - General 15 12-16-2004 12:02 PM


All times are GMT -5. The time now is 10:23 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration