proxy? Still having the issue? can you use curl to get it?

I still have the issue... have not had time to look at it today.

I have more questions....See below..


I am guessing this is www pages that could not be found or accessed? Is this something to worry about and why? How do I prevent it?

Requests with error response codes
404 Not Found
//mysql//scripts/setup.php: 2 Time(s)
//phpMyAdmin//scripts/setup.php: 2 Time(s)
//phpmyadmin//scripts/setup.php: 2 Time(s)
//pma//scripts/setup.php: 2 Time(s)
//scripts/setup.php: 2 Time(s)
/RBR%20July%20me%20xx%20pop%20article.pdf: 1 Time(s)
/contact/contact.htm: 4 Time(s)
/favicon.ico: 3 Time(s)
/index_files/red-line.gif: 6 Time(s)
/robots.txt: 12 Time(s)
/sumthin: 1 Time(s)

---------------------- httpd End -------------------------

These are failed ssh attempts. How do they differ from the list of dictionary attacks I see ?
--------------------- pam_unix Begin ------------------------

sshd:
Authentication Failures:
root (62.112.195.219): 163 Time(s)
unknown (94.75.250.7): 49 Time(s)
root (58.68.32.172): 21 Time(s)
root (209.178.196.3): 16 Time(s)
unknown (62.112.195.219): 15 Time(s)
root (124.254.14.153): 13 Time(s)
unknown (124.254.14.153): 7 Time(s)
Invalid Users:
Unknown Account: 71 Time(s)


---------------------- pam_unix End -------------------------


--------------------- SSHD Begin ------------------------

Is this the same as the above stuff? just broken out by IP?

Failed logins from:
58.68.32.172 (abs-static-172.32.68.58.aircel.co.in): 21 times
62.112.195.219: 163 times
124.254.14.153 (undefined.bjgwbn.net.cn): 13 times
209.178.196.3: 32 times

Illegal users from:
62.112.195.219: 15 times
94.75.250.7 (hosted-by.leaseweb.com): 49 times
124.254.14.153 (undefined.bjgwbn.net.cn): 7 times


Received disconnect:
11: Bye Bye : 268 Time(s)



I will be configuring the fail2ban code today but wanted to understand what is going on here.

Thank you

for the 404's if you know you don't have those files, then they can't be exploited, not really worth bothering about, but I think fail2ban can potentially block them too.

the failed attempts do look like the same as the SSHD ones (both 163 for root etc.) so would be handled at the smae time.

another question about sshd_config

Should I turn this on?

Authentication:

#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes <--- is this needed
#MaxAuthTries 6 <--- is this needed and is this for all users or just root user?


...

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no <-- do i need this on?
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no <--- do i need this to be yes?

the other thng that is perplexing me is the

updateLoginInfo error I see in the email. I searched the up2date file and several others so I am not sure where that is set. ????

From what I've read of ShoreWall's documentation, it's not a daemon...it's an editor:

So it is optional...you can use it to simplify your configuration of iptables and Netfilter, but you can also use any other serviceable tool you choose...or none. Go ahead and try to install Fail2Ban without it.

218.159.93.213 - this address is coming from Korea.
114.255.40.16 - this address is coming from China.
61.129.60.23 - this address is also coming from China.

This article might fix your problem for you...

Blocking Traffic by Country on Production Networks
Timothy M. Mullen 2008-07-16
http://www.securityfocus.com/infocus/1900

62.112.195.219 - this address is coming from Hungary
94.75.250.7 - this address is coming from The Netherlands
58.68.32.172 - this address is coming from India
209.178.196.3 - this one's coming from Hackensack, New Jersey
124.254.14.153 - this one's from China again

I don't know if you caught the attention of a hacker's club, or organized crime, or one guy spoofing his IP address, but you'd better batten down the hatches and prepare to ride out the storm. Here's a book I've been reading lately...it's a bit out of date (2003), but full of some very good advice:

Linux Server Security
By Michael D. Bauer
http://www.amazon.com/gp/product/059..._ya_oh_product

Thanx for the info ...

I am still looking for an answer to the above.

I did put in fail2ban and it seems to be blocking some stuff. I am still tweaking it.

StrictModes should be left at the default, Yes - See manpage for details
MaxAuthTries can be changed from 6 if you want, not root specific (why would it be?) - See manpage for details
PermitEmpty passwords should be no unless you want to permit empty passwords - See manpage for details
ChallengeResponseAuthentication can be no if you don't want to do any challenge / response based authentication mechanisms - See manpage for details

"So it is optional...you can use it to simplify your configuration of iptables and Netfilter, but you can also use any other serviceable tool you choose...or none. Go ahead and try to install Fail2Ban without it."

How do i do this?

I get this error when I try to install.

rpm -Uhv --ignoreos fail2ban-0.8.4-23.el5.noarch.rpm
warning: fail2ban-0.8.4-23.el5.noarch.rpm: Header V4 DSA signature: NOKEY, key ID 66534c2b
error: Failed dependencies:
shorewall is needed by fail2ban-0.8.4-23.el5.noarch

this worked but I wonder why it thinks it is required. I still gould nto get the epel stuff to work

rpm -Uhv --ignoreos --nodeps fail2ban-0.8.4-23.el5.noarch.rpm
warning: fail2ban-0.8.4-23.el5.noarch.rpm: Header V4 DSA signature: NOKEY, key ID 66534c2b
Preparing... ########################################### [100%]
1:fail2ban ########################################### [100%]

Looks like I'm off base on this one ...Fail2Ban must use Shorewall to modify the ipTables.


http://www.shorewall.net/download.htm#Distros

I did a little more digging...apparently Shorewall is "required" only because Fedora has been unresponsive in dropping that requirement. Check out these discussions:

www.linux-archive.org/epel-development

bugzilla.redhat.com

Two patches have been proposed to fix that, but neither have been adopted: