LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 11-07-2007, 03:02 AM   #1
danff
LQ Newbie
 
Registered: Nov 2007
Posts: 2

Rep: Reputation: 0
question about hack attempt


I am fairly new with linux and am running linux on a dv server.

I opened up my messages log file for the first time and found hundreds of lines similar to this:
Nov 4 22:22:05 xxxxx sshd(pam_unix)[24000]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61-219-188-112.hinet-ip.hinet.net user=root
Nov 4 22:22:09 xxxxxx sshd(pam_unix)[24162]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61-219-188-112.hinet-ip.hinet.net user=root

and
Nov 4 10:57:28 xxxxxx sshd(pam_unix)[30026]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=mayomo.icnhost.net user=root

Nov 4 10:52:49 xxxxxxx sshd(pam_unix)[13864]: check pass; user unknown
Nov 4 10:52:49 xxxxxxx sshd(pam_unix)[13864]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=mayomo.icnhost.net
Im assuming these are attempts at gaining root access and using mail services? how can I stop these attempts and block the ip's/domains and check to see if they've been successful? Im now worried that my lack of attention to logs means iv left myself open to getting screwed.
 
Old 11-07-2007, 03:17 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
well to stop them, check out a tool like fail2ban, which reads these logs and automatically inserts rules to stop the source ip connecting. if you additionally configure ssh to deny root logins, check /etc/sshd_config, then you should be able to be very comfortable that they won't be able to guess a potentially valid user account to attack on before fail2ban has blocked their access. if you already have potential concerns then a root kit tool like rkhunter is worth running to check you're ok.
 
Old 11-07-2007, 03:25 AM   #3
danff
LQ Newbie
 
Registered: Nov 2007
Posts: 2

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by acid_kewpie View Post
well to stop them, check out a tool like fail2ban, which reads these logs and automatically inserts rules to stop the source ip connecting. if you additionally configure ssh to deny root logins, check /etc/sshd_config, then you should be able to be very comfortable that they won't be able to guess a potentially valid user account to attack on before fail2ban has blocked their access. if you already have potential concerns then a root kit tool like rkhunter is worth running to check you're ok.
thx. just started doing some research. seems these attempts are common. possibly going to lock all ips out from ssh except my own and look into fail2ban
 
Old 11-07-2007, 03:28 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
oh they are extremely common. someone has a bot just scanning for port 22 across the net, somethign answers and a dictionary attack follows... very rare to actually get compromised, but prcuations are obviosuly good...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Possible Hack Attempt baddah Linux - Security 19 09-28-2007 08:23 AM
Hack Attempt? keysorsoze Linux - Security 6 05-19-2007 12:32 AM
Apache logs - Hack attempt or not? lawadm1 Linux - Software 6 11-06-2004 12:53 AM
newbie question: do these logs show a hack attempt lucastic Linux - Security 4 08-13-2003 09:07 AM
access.log:Possible Hack attempt? plisken Linux - Security 5 01-04-2002 03:40 PM


All times are GMT -5. The time now is 05:53 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration