My problem is this:
I am "practicing" in a company for three months - not employed, limited in what I can do. But I need to get things done to have a chance to get a real job...
The company is responsible for other companys networks, my job is to read logs etc to make sure everything is fine. Now one internal Linux-server behind a firewall is subject to several login-attempts (SSH). This is done daytime only (one exception) so I suppose intruder is "helped" by someone on the inside.
Question: How can I track intruder's way-in? I have root-access to all servers, but no access to firewall. (Well, I can get in but I'm not supposed to.) I'm not explicitly forbidden to install a program on the server, but it's the last thing I want to do.

Look at the source of the SSH attempts first. It could be a comprosed machine or just someone who forgot their password.

There are 3 different sources logged, all are external IP's.
The usernames used are 'test' 'guest' 'user' and 'admin' - they don't exist.
Also, users shouldn't log in directly to this server, it has no user-accounts at all.

If it's the same (or very similiar) simple combinations, then you're likely see this:

http://www.linuxquestions.org/questi...hreadid=213582

There is some form of malware or scanner that is going around trying to guess very simple user/passwd combos. However, it's starting to become fairly widespread.

Yes, I've noticed I'm not alone...
Well, I'm not really worried, they won't get in - that server is pretty secure.
(And if they do get in I'll be there to stop them. Should raise my chances to get a job

But I do wonder how they get past that firewall and onto the server? It must be by exploiting some employee connected to internet. It would be good to find out who.
Or have they found a way through the firewall? Would be great if I could report a security-hole in that firewall - it's supposed to be very tight!

To fight with a cracker, think like a cracker, be a cracker :-) Your internal server has an external IP, right? Then do the same thing.. Try to do ssh from a external IP to your internal server and then analize the logs. If it works, look at the firewall rules that let you come in.

I thought that since you were looking for a helper on the inside that the sources would be internal. Since they are external sources you might actually want to check your firewall configuration to verify that SSH to this host is not open. Have you tried starting an SSH session from the outside just to verify? Since there are you user accounts on this system, the only access to this box from the outside should be just the services that are meant to be publicly accessible (ie www). If there are no services on this system that are meant to be public, then all external traffic to this system should be blocked.

Now I am soo ashamed...
I was so eager to find a problem that I forgot the first rule:
"Let go of the keyboard - relax - think & analyze"

You see, for the other companys I log in to one server, connect to other internally. But not this one.
I'm connecting to it directly, from outside, so anybody could.
The problem I tried to solve does not exist...

Well, thanks everybody.
I'm beginning to believe I shouldn't have a job after all....

If possible, you may consider recommending filtering the outside SSH access to known clients only (ie your site and any other partner sites). You could point out the failed login attempts to make the justification.