Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Nov 4 10:52:49 xxxxxxx sshd(pam_unix)[13864]: check pass; user unknown
Nov 4 10:52:49 xxxxxxx sshd(pam_unix)[13864]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=mayomo.icnhost.net
Im assuming these are attempts at gaining root access and using mail services? how can I stop these attempts and block the ip's/domains and check to see if they've been successful? Im now worried that my lack of attention to logs means iv left myself open to getting screwed.
well to stop them, check out a tool like fail2ban, which reads these logs and automatically inserts rules to stop the source ip connecting. if you additionally configure ssh to deny root logins, check /etc/sshd_config, then you should be able to be very comfortable that they won't be able to guess a potentially valid user account to attack on before fail2ban has blocked their access. if you already have potential concerns then a root kit tool like rkhunter is worth running to check you're ok.
well to stop them, check out a tool like fail2ban, which reads these logs and automatically inserts rules to stop the source ip connecting. if you additionally configure ssh to deny root logins, check /etc/sshd_config, then you should be able to be very comfortable that they won't be able to guess a potentially valid user account to attack on before fail2ban has blocked their access. if you already have potential concerns then a root kit tool like rkhunter is worth running to check you're ok.
thx. just started doing some research. seems these attempts are common. possibly going to lock all ips out from ssh except my own and look into fail2ban
oh they are extremely common. someone has a bot just scanning for port 22 across the net, somethign answers and a dictionary attack follows... very rare to actually get compromised, but prcuations are obviosuly good...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.