LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   System subjected to heavy fire on the part of would-be intruders. (https://www.linuxquestions.org/questions/linux-security-4/system-subjected-to-heavy-fire-on-the-part-of-would-be-intruders-825488/)

stf92 08-11-2010 02:19 AM
System subjected to heavy fire on the part of would-be intruders.
 
Kernel 2.6.21.5, GNU (Slackware 12.0).

Hi:
The following are two extracts from /var/log/messages.

Code:
Aug 10 17:29:52 darkstar sshd[11675]: reverse mapping checking getaddrinfo for 116.214.25
-66.del.tulipconnect.com [116.214.25.66] failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 10 17:29:52 darkstar sshd[11675]: Invalid user plcmspip from 116.214.25.66
Aug 10 17:29:52 darkstar sshd[11675]: Failed password for invalid user plcmspip from 116.
214.25.66 port 40032 ssh2
Aug 10 17:29:56 darkstar sshd[11677]: reverse mapping checking getaddrinfo for 116.214.25
-66.del.tulipconnect.com [116.214.25.66] failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 10 17:29:56 darkstar sshd[11677]: Invalid user plcmspip from 116.214.25.66
Aug 10 17:29:56 darkstar sshd[11677]: Failed password for invalid user plcmspip from 116.
214.25.66 port 40111 ssh2
Code:
Aug 10 11:58:14 darkstar sshd[9411]: Failed password for root from 173.192.227.66 port 57
216 ssh2
Aug 10 11:58:16 darkstar sshd[9413]: Failed password for root from 173.192.227.66 port 57
310 ssh2
Aug 10 11:58:18 darkstar sshd[9415]: Failed password for root from 173.192.227.66 port 57
440 ssh2
Does this activity slow down system performance in a sensible way? Thanks in advance.

salasi 08-11-2010 04:34 AM
Quote:
Originally Posted by stf92 (Post 4062654)
Does this activity slow down system performance in a sensible way? Thanks in advance.
Whether there is any noticeable slow down, or not, I'd be more concerned about whether there are security implications (and, in extremis, a slow down could be a security implication).

You seem to be under attack from two entirely disparate IP addresses, maybe part of a botnet, maybe coincidence. I know that these days, this is a fact of life, but they are trying the door handles, be very, very sure that they are not going to find an easy door handle to open, otherwise you are in a world of trouble.

Quote:
Slackware 12.0
Everything patched and up to date?

stf92 08-11-2010 04:49 AM
Well, as a matter of fact, I've disabled the running of the SSH daemon at boot time. In this way, I hope not seeing those messages anymore. I do not have any need for remote login to my machine.

However, before I took this measure, there were a couple of things that seemed wierd to me and that made ask this question.

Slackware is currently at 13.x but I've decided my machine can't be overburdened with larger and larger OSs. Thanks for your kind reply.

XavierP 08-11-2010 01:01 PM
Moved: This thread is more suitable in Linux-Security and has been moved accordingly to help your thread/question get the exposure it deserves.


All times are GMT -5. The time now is 07:06 AM.