I get the logs mail to me every morning. I noticed that there is quite a lot of hack attempts.

Can someone explain to me some of what I am seeing.. I think I know but want to be sure my system is safe.

See my comment below beging with >>>>
################### Logwatch 7.3 (03/24/06) ####################
Processing Initiated: Tue Oct 13 04:02:07 2009
Date Range Processed: yesterday
( 2009-Oct-12 )
Period is day.
Detail Level of Output: 0
Type of Output: unformatted
Logfiles for Host: myhost.dev
##################################################################

--------------------- httpd Begin ------------------------

Requests with error response codes
404 Not Found
/RBR%20July%20file%20by%20job%20file1.pdf: 1 Time(s)
/robots.txt: 15 Time(s)
http://88.80.7.248/pp/anp.php?a=RRJW...b=1155&c=69c5: 1 Time(s)

>>>>I am guessing this refers to a http request to an invalid page.

---------------------- httpd End -------------------------


--------------------- pam_unix Begin ------------------------

sshd:
Authentication Failures:
unknown (218.159.93.213): 243 Time(s)
root (114.255.40.16): 181 Time(s)
root (218.159.93.213): 77 Time(s)
root (61.129.60.23): 23 Time(s)
nobody (218.159.93.213): 13 Time(s)
root (active.pfingo.com): 6 Time(s)
news (218.159.93.213): 1 Time(s)
root (adsl-065-080-204-061.sip.jax.bellsouth.net): 1 Time(s)
unknown (114.255.40.16): 1 Time(s)
Invalid Users:
Unknown Account: 244 Time(s)

>>>> Someone tired to ssh in but the system did not allow it successfully.

su:
Sessions Opened:
me(uid=xxx) -> root: 1 Time(s)

>>>> OK successful login by me.
---------------------- pam_unix End -------------------------


--------------------- SSHD Begin ------------------------


Failed logins from:
61.129.60.23: 23 times
65.80.204.61 (adsl-065-080-204-061.sip.jax.bellsouth.net): 2 times
114.255.40.16: 181 times
203.117.187.184 (active.pfingo.com): 6 times
218.159.93.213: 91 times

Illegal users from:
114.255.40.16: 1 time
218.159.93.213: 243 times

>>>> Someone trying to hack in but not successful.

Users logging in through sshd:
me:
65.80.204.61 (adsl-065-080-204-061.sip.jax.bellsouth.net): 1 time
216.182.91.244 (srv1.jump2go.com): 1 time


Received disconnect:
11: Bye Bye : 544 Time(s)

SFTP subsystem requests: 1 Time(s)

>>>> SFTP was tried? or was successful?

**Unmatched Entries**
pam_succeed_if(sshd:auth): error retrieving information about user vermont : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user bank : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user db2inst1 : 5 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user chicago : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user box1 : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user blair : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user bunny : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user truck : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user banner : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user test : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user boss : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user craig : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user hvargas : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user claudia : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user beny : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user duncan : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user SSS : 1 time(s)
PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=adsl-065-080-204-061.sip.jax.bellsouth.net user=root : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user nonnie : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user jay : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user support : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user seb : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user vmail : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user caesar : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user virtual : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user efax : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user DRD : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user mark : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user scott : 4 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user rose : 4 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user olivia : 4 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user amanda : 4 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user sas : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user uucps : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user juan : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user jessica : 4 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user davis : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user collins : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user wwi : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user Flerp : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user bob : 3 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user mpo : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user smtp : 4 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user pontoBXS : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user hotline : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user ifax : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user Administrator : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user bastian : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user driver : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user flavia : 3 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user jau : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user box2 : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user webster : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user dick : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user drive : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user valentin : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user edx : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user RPM : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user kevin : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user ecircles : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user pxb : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user benny : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user vitalgaming : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user stuart : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user debbie : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user clark : 3 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user djl : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user zabbix : 5 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user poppie : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user roman : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user lance : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user westcado : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user cindy : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user dave : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user dan : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user box : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user bobby : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user guest : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user postgres : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user srv100 : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user chenst : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user gbacon : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user ts : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user bind : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user KPM2003 : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user dominic : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user dexter : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user cycle : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user jpaleczny : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user RFTEST : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user corinna : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user mike : 5 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user copy : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user cltc : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user cynthia : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user daniel : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user stephen : 4 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user alex : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user soporte : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user rodgers : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user nagios : 7 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user bugs : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user morgan : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user bash : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user vakc : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user dvns : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user gianni : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user sarah : 4 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user bull : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user danny : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user jeff : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user denise : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user emc : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user deb : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user JWW : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user cvs : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user valerie : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user finney : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user jeremy : 4 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user mobilej : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user cj : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user master : 6 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user carl : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user sss : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user carol : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user larry : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user jan : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user oracle : 3 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user clinton : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user tss : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user kellym03 : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user shoutcast : 4 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user echo : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user center : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user cesar : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user bill : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user diamond : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user fido : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user cluj : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user deborah : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user toor : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user bart : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user svn : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user faxuser : 4 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user sxt : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user colleen : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user mcs : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user ynm : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user db : 2 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user msh : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user greg : 4 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user jdm : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user rlp : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user slr : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user sshuser : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user zimbra : 4 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user sraffay : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user maverick : 4 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user ben : 1 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user tucker : 1 time(s)

---------------------- SSHD End -------------------------
>>>> Some sort of bot trying to random gen name and passwd against my system. But not succeeding

--------------------- up2date Begin ------------------------


**Unmatched Entries**
updateLoginInfo() login info
updateLoginInfo() login info
updateLoginInfo() login info
updateLoginInfo() login info
updateLoginInfo() login info
updateLoginInfo() login info
updateLoginInfo() login info
updateLoginInfo() login info
updateLoginInfo() login info
updateLoginInfo() login info
updateLoginInfo() login info

---------------------- up2date End -------------------------
>>>> No idea what that refers too.



###################### Logwatch End #########################

You generally have things sussed out I think, I'd suggest you check out something like fail2ban, which can automatically block these hack attempts.

Sounds like you are running an old RH system. up2date was the mechanism used to update a RH system prior to RHN (Red Hat Network - the subscription service)

I am running. Red Hat Enterprise Linux Server release 5.4 (Tikanga)

what do you mean by "sussed out"...

looked into the fail2ban sw you talked about. Looks interesting. Ill have to test it out.

I tried to get this code for RH but i could only get Fedora and Ubuntu code. the link is broken. I am guessing RH does not keep it in their repository as the yum install command did work for me like it did in fedora.

I dont want to compile it and would like yum to keep it updated. Any thoughts?
google searches turned up a lot of stuff but nothing that was helpful with RH

how hard did you look? Link right there on the project page http://atrpms.net/name/fail2ban/ but as it states on the project page, it's only a python script. you don't *need* a distro specific package at all.

A few comments from me on the Logwatch results.

In order, here is what you should care about:

1. There is a large number of root authentication attempts
2. There is a small number of hosts attacking your box

There are two directives that should be added to (almost) any sshd installation. One of these will help with the root authentication attempts:
This very simple change would make the majority of the access attempts you're seeing more or less benign. (Don't forget to restart sshd when you're done.) For shell accounts on the system, require and enforce strong passwords.

The good news is only a handful of persistent hosts are hassling you. You aren't being attacked in a distributed manner - yet.

-------

edit: There is a deep bag of tricks that you can employ to further secure sshd access (fail2ban is included in that bag), but knock out the basics first.

Ok I was told to get this repo form RHN
http://fedoraproject.org/wiki/EPEL/F..._repository.3F

I followed the install direction and now I get....

yum install fail2ban
Loaded plugins: rhnplugin, security
Bad id for repo: fail2ban repository, byte = 8
Could not retrieve mirrorlist http://mirrors.fedoraproject.org/mir...-5&arch=x86_64 error was
[Errno 4] IOError: <urlopen error (101, 'Network is unreachable')>
Error: Cannot retrieve repository metadata (repomd.xml) for repository: epel. Please verify its path and try again


Or it just hangs.

yum install fail2ban
Loaded plugins: rhnplugin, security

Exiting on user cancel

To anomie...

I do have PermitRootLogin no and Protocol 2 enabled as you suggested. That was one of the first things I did .

oh ya I know its a script. But I wanted to keep it with a yum install so I would not have to worry about manually changing it or installing it over time.

Things that are not automated seem to get missed or forgotten.

Thanx for the other link. I did not see that in my searches.. may be i was searching wrong.

"network is unreachable", that'll be a network issue then. can you get that url up in a browser from there?

now it looks like I am missing shorewall.. I guess my fedora image has that already. Time to go hunting for it.

I found this but have yet to find a way to bypass the requirement

fail2ban is _capable_ of supporting shorewall (among other things) and even states that "the following software is optional but recommended" with reference to shorewall. However, fail2ban does not _require_ shorewall to function.

yes when i click on the link it comes up fine...