LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-06-2004, 03:08 PM   #1
plan9
Member
 
Registered: May 2004
Location: USA
Distribution: Slackware-Current
Posts: 74

Rep: Reputation: 15
/var/log/messages shows failed login attempts...


Hey there,

I have been looking through my /var/log/messages file and have found that some ppl. out there are trying to connect to my slack box. It kinda pisses me off that there are ppl. trying to log as root! Should I try to contact the persons isp? How do you find a isp with just a ip address? whois doesn't seem to be doing it.

here's a snip of the log:

mingus -- MARK --
mingus sshd[2252]: Illegal user test from 219.117.251.250
mingus sshd[2252]: Failed password for illegal user test from 219.117.251.250 port 44498 ssh2
mingus sshd[2254]: Illegal user guest from 219.117.251.250
mingus sshd[2254]: Failed password for illegal user guest from 219.117.251.250 port 44551 ssh2
mingus sshd[2256]: Illegal user admin from 219.117.251.250
mingus sshd[2256]: Failed password for illegal user admin from 219.117.251.250 port 44610 ssh2
mingus sshd[2258]: Illegal user admin from 219.117.251.250
mingus sshd[2258]: Failed password for illegal user admin from 219.117.251.250 port 44691 ssh2
mingus sshd[2260]: Illegal user user from 219.117.251.250
mingus sshd[2260]: Failed password for illegal user user from 219.117.251.250 port 44741 ssh2
mingus sshd[2262]: Failed password for root from 219.117.251.250 port 44817 ssh2
mingus sshd[2264]: Failed password for root from 219.117.251.250 port 44866 ssh2
mingus sshd[2266]: Failed password for root from 219.117.251.250 port 44918 ssh2
mingus sshd[2268]: Illegal user test from 219.117.251.250
mingus sshd[2268]: Failed password for illegal user test from 219.117.251.250 port 44997 ssh2
mingus -- MARK --
 
Old 08-06-2004, 03:19 PM   #2
rgiggs
Member
 
Registered: Apr 2004
Location: berkeley, ca
Distribution: slk10, winxp
Posts: 313

Rep: Reputation: 30
i think you can do:
Code:
traceroute <ip address>
 
Old 08-06-2004, 03:31 PM   #3
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
blocking remote root access gives you an additional layer of security...

make sure you have "PermitRootLogin no" in your /etc/ssh/sshd_config

then you can let them try to login as root all they want... they'll get "permission denied" even if they actually guess your correct root password...

=)


Last edited by win32sux; 08-06-2004 at 03:34 PM.
 
Old 08-06-2004, 05:07 PM   #4
cli_man
Member
 
Registered: Apr 2002
Location: New York, USA
Distribution: Redhat 7.2, 9.0 Slackware 9.1
Posts: 428

Rep: Reputation: 30
There has been alot of activity like this happening in the last couple of weeks I have noticed, I run the servers for my local ISP and have noticed them scanning trying to log it, it comes from a compleatly different set of ip's each day though so it doesn't help much to trace it, I think it looks like an automated exploit someone is useing trying common passwords.

I for one have blocked all port 22 incoming except to a couple of ip's in my network and then those can only come from my house and a couple of other known places people need to come in from. I haven't seen any of those login attempts since
 
Old 08-06-2004, 08:22 PM   #5
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,089

Rep: Reputation: 299Reputation: 299Reputation: 299
Yeah, I've been noticing a lot of these on servers I run too. You can try to contact the ISP in question (if you go to ARIN they have a mechanism to look up who owns a particular block of IPs), but given that the attempts are probably coming from a box that has itself been cracked some time ago, you're unlikely to ever be able to track down the perpetrators.

Just so long as you don't do something stupid like have a passwordless guest account or a weak root password, these automated attacks aren't likely to do much harm.
 
Old 08-06-2004, 11:16 PM   #6
PhrozenFear
LQ Newbie
 
Registered: Mar 2004
Posts: 2

Rep: Reputation: 0
Sorry to sound stupid, but where does one go to set up certain IP's to have access while others don't ?

Running a bastardized RedHat 9 for HAM radio.


73,

>>VE6MSP
 
Old 08-07-2004, 09:42 AM   #7
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 46
Follow this link...
http://www.linuxquestions.org/questi...hreadid=213582
 
Old 08-08-2004, 12:22 PM   #8
plan9
Member
 
Registered: May 2004
Location: USA
Distribution: Slackware-Current
Posts: 74

Original Poster
Rep: Reputation: 15
win32sux:

I have foot login disabled in the sshd.config file, thanks tho'.

I was thinking that it looks like a script or a program too- as the login accounts are the same and often times they are tried in the same order, ie: test, admin, guest, and root. It definately looks like some sort of script to me.

a nmap of my system shows no open ports... i am curious how they found me? Do you think that the script/program searches class c's?

thanks,

plan9
 
Old 08-08-2004, 12:52 PM   #9
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
by scanning for port 22...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
/var/log/messages is empty, and also dmesg shows nothing beagle2 Linux - General 5 11-08-2005 08:12 AM
Redirecting the kernel messages to file other than /var/log/messages jyotika_b83 Linux - General 3 04-28-2005 06:39 PM
From where am i getting error messages to /var/log/messages? prabhuacsp Programming 3 02-16-2005 08:59 AM
From where am i getting error messages to /var/log/messages? prabhuacsp Linux - Networking 1 02-16-2005 12:34 AM
/var/log/messages full of these messages. Should I be concerned? mdavis Linux - Security 5 04-16-2004 10:08 AM


All times are GMT -5. The time now is 05:33 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration