LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-27-2010, 01:55 AM   #1
tkmsr
Member
 
Registered: Oct 2006
Distribution: Ubuntu,Open Suse,Debian,Mac OS X
Posts: 798

Rep: Reputation: 39
IPs logged as D.C.B.A and some times A.B.C.D how to find which format is logged


I see two different type of log messages in my /var/log/auth.log file
one is
Quote:
reverse mapping checking getaddrinfo for dnet-217003.sby.dnet.net.id [115.69.217.3] failed - POSSIBLE BREAK-IN ATTEMPT!
and another is
Quote:
reverse mapping checking getaddrinfo for client-200.121.135.240.speedy.net.pe [240.135.121.200] failed - POSSIBLE BREAK-IN ATTEMPT!
in the second log the IP address from where the connection originated was
240.135.121.200

now the log of type one above is also present and some at some places log of type2.
If you note the IP logged in in both cases the type1 logged as
Quote:
115.69.217.3
and type 2 logged as
Quote:
200.121.135.240.speedy.net.pe
in type 2 the IP actually was 240.135.121.200
which is recorded in reverse fashion.
So like this at many places the order in which it is recorded is reverse.
My problem is looking at the logs how do I find the IP from where connection originated when is it logged as
A.B.C.D
and when it is logged as D.C.B.A
I am not sure from the log of type 1 I quoted above
that the IP I should block should be
115.69.217.3
or
3.217.69.115

Last edited by tkmsr; 10-27-2010 at 02:01 AM.
 
Old 10-27-2010, 02:09 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,386

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
I don't see any issue there at all. The "reverse" IP address, "200.121.135.240.speedy.net.pe", is clearly NOT an IP address, but a hostname, which is totally arbitrary based upon the practises of the ISP. The detail in the square brackets is the real IP address, there is no logical conflict here at all, it is NEVER logged as "D.C.B.A"

Last edited by acid_kewpie; 10-27-2010 at 02:11 AM.
 
Old 10-27-2010, 03:12 AM   #3
tkmsr
Member
 
Registered: Oct 2006
Distribution: Ubuntu,Open Suse,Debian,Mac OS X
Posts: 798

Original Poster
Rep: Reputation: 39
Quote:
Originally Posted by acid_kewpie View Post
The detail in the square brackets is the real IP address, there is no logical conflict here at all, it is NEVER logged as "D.C.B.A"
Some of the logs I have which do not have any entry in braces.
 
Old 10-27-2010, 03:16 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,386

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
Quote:
Originally Posted by tkmsr View Post
Some of the logs I have which do not have any entry in braces.
Well that's not been mentioned at all in the original post. If you wish to expand on that with sample logs etc then we may be able to comment.
 
Old 10-27-2010, 04:05 AM   #5
tkmsr
Member
 
Registered: Oct 2006
Distribution: Ubuntu,Open Suse,Debian,Mac OS X
Posts: 798

Original Poster
Rep: Reputation: 39
Quote:
reverse mapping checking getaddrinfo for host-62-135-123-253.static.link.net [62.135.123.253] failed - POSSIBLE BREAK-IN ATTEMPT!
reverse mapping checking getaddrinfo for opas-ss-dynamic-045.121.106.22.samplebroadband.com [22.106.121.45] failed - POSSIBLE BREAK-IN ATTEMPT!
but any how you pointed in [] so I scanned all the logs and could not find one such example.

There is one more log
Quote:
Did not receive identification string from 220.80.107.196
and I see this guy had tried a lot of other permutations.Does that mean he was able to guess the username correctly.
 
Old 10-27-2010, 04:11 AM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,386

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
I have no idea what you're trying to achieve here. there is no problem to solve.
 
Old 10-27-2010, 04:16 AM   #7
tkmsr
Member
 
Registered: Oct 2006
Distribution: Ubuntu,Open Suse,Debian,Mac OS X
Posts: 798

Original Poster
Rep: Reputation: 39
Quote:
Originally Posted by acid_kewpie View Post
I have no idea what you're trying to achieve here. there is no problem to solve.
g 17:51:48 sshd[13917]: Invalid user admin from 220.80.107.196
g 17:51:57 sshd[13942]: Invalid user admin from 220.80.107.196
g 17:52:05 sshd[13965]: Invalid user test from 220.80.107.196
g 17:52:13 sshd[13986]: Invalid user test from 220.80.107.196
g 17:52:20 sshd[14009]: Invalid user user from 220.80.107.196
g 17:52:28 sshd[14029]: Invalid user user from 220.80.107.196
g 17:52:36 sshd[14050]: Invalid user user1 from 220.80.107.196
g 17:52:44 sshd[14071]: Invalid user user1 from 220.80.107.196
g 17:52:52 sshd[14092]: Invalid user user1 from 220.80.107.196
g 17:53:00 sshd[14112]: Invalid user user from 220.80.107.196
g 17:53:07 sshd[14133]: Invalid user user1 from 220.80.107.196
sshd[12626]: Did not receive identification string from 220.80.107.196
 
Old 10-27-2010, 04:56 AM   #8
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,386

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
Pasting some logs and saying nothing else is not useful.
 
Old 10-27-2010, 05:55 AM   #9
tkmsr
Member
 
Registered: Oct 2006
Distribution: Ubuntu,Open Suse,Debian,Mac OS X
Posts: 798

Original Poster
Rep: Reputation: 39
In the above log you see the person with above IP was trying different user names and in the last line I read Did not recieve identification string.
So some logs are
Invalid user user1 from 220.80.107.196
while some are
Did not receive identification string from 220.80.107.196

both from same IP.I want to know that looking at the above logs what can I deduce
1) The person was trying different user names on ssh
2) What can I infer from this log
Quote:
Did not receive identification string from 220.80.107.196
 
Old 10-27-2010, 09:10 AM   #10
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,386

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
The "Did not receive" messages are probably just dumb port scans. An ssh client will, on connection, tell the server what program it is. A port scan won't bother doing this.
 
Old 10-27-2010, 09:20 AM   #11
tkmsr
Member
 
Registered: Oct 2006
Distribution: Ubuntu,Open Suse,Debian,Mac OS X
Posts: 798

Original Poster
Rep: Reputation: 39
Ok you mean to say in the "Did not recieve" line does that mean the attacker did not even tried for password to some fake account getting frustrated over what ever be the password he tried to scan what service is open at that port.

Last edited by tkmsr; 10-27-2010 at 09:22 AM.
 
Old 10-27-2010, 09:29 AM   #12
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,386

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
it's the most likely cause, yes.
 
Old 10-27-2010, 10:09 AM   #13
tkmsr
Member
 
Registered: Oct 2006
Distribution: Ubuntu,Open Suse,Debian,Mac OS X
Posts: 798

Original Poster
Rep: Reputation: 39
Ok that makes it clear.Thanks for the information.
 
Old 10-28-2010, 09:48 AM   #14
orgcandman
Member
 
Registered: May 2002
Location: dracut MA
Distribution: Ubuntu; PNE-LE; LFS (no book)
Posts: 594

Rep: Reputation: 102Reputation: 102
Please run some of your own tests as well against a non-production ssh server and watch the logs to learn what each piece means.

For instance, what will your logs say if you connect to the SSH port and send the string OMGHAX?

EDIT: don't use an ssh client for the above test. Just connect with something like netcat or telnet.

Last edited by orgcandman; 10-28-2010 at 09:56 AM.
 
Old 11-18-2010, 08:03 AM   #15
tkmsr
Member
 
Registered: Oct 2006
Distribution: Ubuntu,Open Suse,Debian,Mac OS X
Posts: 798

Original Poster
Rep: Reputation: 39
Quote:
Originally Posted by acid_kewpie View Post
Well that's not been mentioned at all in the original post. If you wish to expand on that with sample logs etc then we may be able to comment.
Hi when I had started this thread I missed those logs (infact I did see them but was unable to locate) today I got the logs which do not have square braces
Code:
Nov 18 17:48:20 somedomain sshd[32092]: Address 123.30.187.11 maps to static.vdc.vn, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Nov 18 17:48:22 somedomain sshd[32097]: Address 123.30.187.11 maps to static.vdc.vn, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Nov 18 17:48:23 somedomain sshd[32103]: Address 123.30.187.11 maps to static.vdc.vn, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Nov 18 17:48:24 somedomain sshd[32107]: Address 123.30.187.11 maps to static.vdc.vn, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Nov 18 17:48:25 somedomain sshd[32116]: Address 123.30.187.11 maps to static.vdc.vn, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Here it is I am not sure if you are still reading the thread.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to get real time information about how many user are logged in and their ips gogoabc Programming 1 01-21-2009 12:55 AM
How many times a user logged in mmahulo Linux - Newbie 6 01-08-2009 11:06 AM
kde much slower to start when logged in as alan than logged in as root arubin Slackware 0 04-26-2004 04:27 PM
iptables and limiting the number of times an event gets logged drexel Linux - Security 3 02-09-2004 08:59 AM
mozilla works fine when logged in as a user but crashes when logged in as root jimi Linux - General 6 04-02-2003 08:34 PM


All times are GMT -5. The time now is 02:43 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration