Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
hi, I'm getting my hands wet on the ins and outs of linux server. I just read the /var/log/auth.log and I got a few lines of these messages:
Jun 17 01:49:43 #my_servername dropbear[2659]: Child connection from ::ffff:#IP_ADDRESS:48168
Jun 17 01:49:47 #my_servername dropbear[2659]: exit before auth: Failed to get remote version
Please help me interpret this- are folks trying to connect to my server?
Jun 16 10:06:07 #myservername dropbear[2557]: login attempt for nonexistent user from ::ffff:#ip_address:41268
Jun 16 10:06:07 #myservername dropbear[2557]: exit before auth: Disconnect received
The rest is just a guess - based on what I have seen on my router (running OpenWRT) - it has the dropbear installed as the ssh-server.
I have seen this
Quote:
exit before auth: Disconnect received
when I wanted to use sftp for file-transfer to that device.
For sftp the router needs an sftp-server package installed - if it is not installed, ssh will work while sftp will not - and the attempt will fail with a message like the above.
Someone is trying to connect to you with varying usernames.
If it is just a scan or an honest attempt to get in - I don't know.
Since ssh is open - there is not much you can do about it.
Use a secure password...and maybe some iptables-rules to limit the number of allowed attempts to connect to a small value per minute/hour - to make a scan more time consuming and prevent DOS.
You can upgrade (?) to a managed support contract, or get to reading. I'd recommend starting with books on Linux for beginners. Depending on what your budget is like, I can also suggest some good professional training classes.
The short answer is you're going to need to lock down sshd further.
I'm just curious, do you prefer openssh to dropbear? if so why?
My log file is now filled up with login attempts from this ip address. Sigh... one login attempt every minute. Well, who ever is trying to get in, I hope they leave me a note on how to fix any vulnerabilities in my server
In the mean time, I think I'm better off reading articles on the host.deny file. Any advice would be greatly appreciated
reason:
OpenWRT... the device is a wireless home-router Siemens SE505 with 4 MB Flash and 16 MB RAM
dropbear is small enough to fit in there along with a whole lot other programs making this device an acces-point and internet-gateway in a mesh-network consisting of around 500 such nodes - making it the probably largest mesh-network in Germany... http://leipzig.freifunk.net/ - the wiki might be the most interesting - but as most everything else is in german...
so: I actually don't prefer it - it is just the appropriate thing fot that kind of device - functionality is equal.
iptables -I INPUT -s xxx.xxx.xxx.xxx/xx -j DROP should do but will keep you busy when they come from elsewhere - as well as it might lock out legitimate users.
host.allow/deny are good if you know from where users (or just you) will connect.
[edit]
AFAIK they need to be complete IP-adresses - maybe using a netmask is possible
restarting dropbear and (x)inetd should do
ty for the fast reply. you have no idea how frantic I am right now. I absolutely had no idea that my server would be under attack- I don't even have a name server yet! what's more the hosts.deny is not taking effect. my var/log/auth.log is still going like crazy. I just hope I can solve this problem before they fill up my hard drive with login attempts! help!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.