LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 02-02-2007, 07:13 AM   #1
natv
Member
 
Registered: Mar 2006
Posts: 59

Rep: Reputation: 15
Question about failed ssh login attempts


Hi

Actually first question just so I understand, why do some forum threads here show 'closed'? For example there was another thread related to my question here (http://www.linuxquestions.org/questi...d.php?t=340366) that I was going to reply to but it was closed. Just curious.

On to my question...

I have a server set up at home for learning purposes (not a production server). I'm also trying to learn more about security as well as Linux in general, so for me it's interesting when someone tries to break in.

I've put DenyHosts on my server so that after a certain amount of failed root or other user login attempts their IP gets automatically added to /etc/hosts.deny and I get emailed about it.


I then check /var/log/messages and see entries like below, which I have a couple of questions about.


I can see in the log file when someone tries to login as root, postfix, named, etc.... But what are the other entries that don't have any username beside them?


For example here is part of an attempt from yesterday:



[root@server ~]# grep 125.7.199.246 /var/log/messages
Feb 1 22:03:15 server sshd(pam_unix)[26261]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:03:19 server sshd(pam_unix)[26263]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:03:24 server sshd(pam_unix)[26265]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:03:29 server sshd(pam_unix)[26267]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:03:33 server sshd(pam_unix)[26269]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:03:38 server sshd(pam_unix)[26271]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:03:42 server sshd(pam_unix)[26273]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:03:47 server sshd(pam_unix)[26275]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:03:51 server sshd(pam_unix)[26277]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:03:56 server sshd(pam_unix)[26279]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:04:00 server sshd(pam_unix)[26281]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:04:05 server sshd(pam_unix)[26283]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:04:09 server sshd(pam_unix)[26285]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:04:13 server sshd(pam_unix)[26287]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246 user=ftp
Feb 1 22:04:18 server sshd(pam_unix)[26289]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:04:22 server sshd(pam_unix)[26291]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:04:27 server sshd(pam_unix)[26293]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:04:31 server sshd(pam_unix)[26295]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246 user=postfix
Feb 1 22:04:36 server sshd(pam_unix)[26297]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:04:40 server sshd(pam_unix)[26299]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:04:45 server sshd(pam_unix)[26301]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246 user=root
Feb 1 22:04:49 server sshd(pam_unix)[26303]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:04:54 server sshd(pam_unix)[26305]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:04:58 server sshd(pam_unix)[26307]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:05:04 server sshd(pam_unix)[26309]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:05:08 server sshd(pam_unix)[26311]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:05:13 server sshd(pam_unix)[26313]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:05:18 server sshd(pam_unix)[26315]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246 user=apache
Feb 1 22:05:22 server sshd(pam_unix)[26317]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:05:27 server sshd(pam_unix)[26319]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:05:31 server sshd(pam_unix)[26321]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:05:36 server sshd(pam_unix)[26323]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:05:41 server sshd(pam_unix)[26325]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:05:45 server sshd(pam_unix)[26327]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:05:50 server sshd(pam_unix)[26329]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246 user=named
Feb 1 22:05:54 server sshd(pam_unix)[26331]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:05:59 server sshd(pam_unix)[26333]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:06:04 server sshd(pam_unix)[26335]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:06:08 server sshd(pam_unix)[26337]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:06:13 server sshd(pam_unix)[26339]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:06:18 server sshd(pam_unix)[26341]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:06:22 server sshd(pam_unix)[26343]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246 user=root
Feb 1 22:06:27 server sshd(pam_unix)[26345]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246 user=root
Feb 1 22:06:31 server sshd(pam_unix)[26349]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:06:36 server sshd(pam_unix)[26351]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:06:41 server sshd(pam_unix)[26353]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:06:46 server sshd(pam_unix)[26355]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246 user=root
Feb 1 22:06:51 server sshd(pam_unix)[26357]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246 user=root
Feb 1 22:06:55 server sshd(pam_unix)[26359]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246 user=root
Feb 1 22:07:00 server sshd(pam_unix)[26361]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246 user=root
Feb 1 22:07:05 server sshd(pam_unix)[26363]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246 user=root
Feb 1 22:07:09 server sshd(pam_unix)[26365]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246



Next question, what other log files should I peek in on?

How can I see if my ports are being scanned and from where?


Is the above enough reason to contact the ISP that controls that IP to report this?


Thanks
Nat
 
Old 02-02-2007, 08:01 AM   #2
Huwmungous
LQ Newbie
 
Registered: Feb 2007
Posts: 6

Rep: Reputation: 0
I do my best to report these as often as I can.

I use 'whois' to Id the culprit, and if its not Chinese or Korean, I mail the abuse recipient.

I generally get good responses from ISPs. Often you find that the 'culprit' is a victim too - unaware their system is doing this.
 
Old 02-03-2007, 01:25 AM   #3
Micro420
Senior Member
 
Registered: Aug 2003
Location: Berkeley, CA
Distribution: Mac OS X Leopard 10.6.2, Windows 2003 Server/Vista/7/XP/2000/NT/98, Ubuntux64, CentOS4.8/5.4
Posts: 2,986

Rep: Reputation: 45
Since I'm in the USA, I have a host list that blocks all other countries outside of North America. I can share that with you if you want, but DenyHosts is a good script that does the job well!

Also check your /var/log/auth.log

I also use whois or ipadress.com to locate the source. Mostly they are from Asia, Europe, or South America. I did get one guy from University of North Carolina trying to break into my server.
 
Old 02-11-2007, 07:46 AM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Quote:
Originally Posted by natv
Actually first question just so I understand, why do some forum threads here show 'closed'? For example there was another thread related to my question here (http://www.linuxquestions.org/questi...d.php?t=340366) that I was going to reply to but it was closed. Just curious.
Threads are closed for a variety of reasons. In this case, the original thread on that topic became so large and filled with chatter, that it became hard to go through the whole thing and extract anything useful. This concerned me, because at the time a lot of people were getting compromised and it was important to get people informed. So rather than having a huge thread with bits of important info that no one read, I figured I'd take the most useful comments and distill the thread down. The original thread is still around and is open. If you look at the thread stickied at the top of the forum (the closed thread), it contains a link to the original thread. But again it's a huge thread, so if you tack your post onto the very end, then it's likely that a lot of people won't read it. If the stickied thread doesn't answer your question, then I'd recommend starting a new thread (like this one).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH tricks -- any way to block failed attempts by IP address tensigh Linux - Security 10 06-06-2008 04:46 PM
Constant failed login attempts... seanferd Linux - Security 8 11-09-2006 09:42 AM
Timeout between failed login attempts wuicci Linux - Security 3 06-01-2006 05:40 AM
Failed SSH login attempts Capt_Caveman Linux - Security 38 01-03-2006 04:22 PM
ssh failed login question nelly_boy Solaris / OpenSolaris 3 02-26-2004 09:52 AM


All times are GMT -5. The time now is 03:08 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration