LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   *BSD (https://www.linuxquestions.org/questions/%2Absd-17/)
-   -   What does these logs mean? (https://www.linuxquestions.org/questions/%2Absd-17/what-does-these-logs-mean-233756/)

gani 09-22-2004 04:51 AM

What does these logs mean?
 
I've seen these messages on my XTerm console and I'm wandering what these stuffs mean:

Sept. 23 00:28:12 firewall sshd [5460]: Failed password for root from 211.218.149.7 port 45877 ssh2
Sept. 23 00:28:12 firewall sshd [24770]: Failed password for root from 211.218.149.7 port 45877 ssh2

It has appeared up to 5 times and then after the fifth appearance a message like this appeared:

Sept. 23 00:28:16 firewall sshd [327]: Received disconnect from 211.218.149.7:11: Bye bye

Is it someone from the net is envading and trying to crack the root password in my box?

Also lines such as this appeared twice:

Sept. 23 00:28:30 firewall sshd [19747]: fatal: Read from socket failed: Connection reset by peer

I tracerouted this IP and his 14 hops from me. Is the time stamp in his local time?

For some comments, here is my pf.conf that I copied from OpenBSD's FAQ page and with few facelifts:

# PF FILTERING RULESET
# DEFINING MY BSD'S MACROS
# rl0 = Realtek 8139, connected to ADSL
# dc0 = Linksys LNE 10/100Tx
# lan_net = local/internal network
# internet_services = 22 (ssh), 113 (Auth/Ident) for SMTP and IRC
# icmp_types = reply to ping echo request
# rfc_addresses = RFC 1918 addresses will be blocked from exiting & entering

ext_if = "rl0"
int_if = "dc0"
lan_net = "192.168.0.0/24"
internet_services = "{ 22, 113}"
icmp_types = "echoreq"
rfc_addresses = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

# OPTION
set block-policy return
set loginterface $ext_if

# SCRUB FRAGMENTED INCOMING PACKETS, DEFRAGMENT

scrub in all

# ENABLE INTERNAL NETWORK ADDRESS TRANSLATIONS

nat on $ext_if from $lan_net to any -> ($ext_if)

# REDIRECTION: ALLOW INT_NETWORK INTERNET FTP ACCESS

rdr on $int_if proto tcp from any to any port { 21, 2121 } -> 127.0.0.0 \
port 8021

# SETUP A DEFAULT DENY POLICY

block in all
block out all

# PASS TRAFFIC ON THE LOOPBACK INTERFACE IN EITHER DIRECTION

pass quick on lo all

# ACTIVATE SPOOFING PROTECTION FOR THE INTERNAL INTERFACE

antispoof quick for { lo, $int_if } inet

# RFC 1918 ADDRESSES WILL BE BLOCKED FROM EXITING & ENTERING

block drop in quick on $ext_if from $rfc_addresses to any
block drop out quick on $ext_if from any to $rfc_addresses

# OPEN PORTS FOR SERVICES DEFINED ABOVE TO BE AVAILABE TO THE INTERNET

pass in on $ext_if proto tcp from any to ($ext_if) \
port $internet_services flags S/SA keep state

# ALLOW ICMP TRAFFIC

pass in inet proto icmp all icmp-type $icmp_types keep state

# PASS TRAFFIC TO FROM INTERNAL NETWORK

pass in on $int_if from $lan_net to any keep state
pass out on $int_if from any to $lan_net keep state

# PASS OUT ALL TRAFFIC ON $ext_if

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

rjlee 09-22-2004 05:21 AM

Re: What does these logs mean?
 
Quote:

Originally posted by gani
I've seen these messages on my XTerm console and I'm wandering what these stuffs mean:

Sept. 23 00:28:12 firewall sshd [5460]: Failed password for root from 211.218.149.7 port 45877 ssh2
Sept. 23 00:28:12 firewall sshd [24770]: Failed password for root from 211.218.149.7 port 45877 ssh2

It has appeared up to 5 times and then after the fifth appearance a message like this appeared:

Sept. 23 00:28:16 firewall sshd [327]: Received disconnect from 211.218.149.7:11: Bye bye

Is it someone from the net is envading and trying to crack the root password in my box?

The log messages mean that someone, whose public IP address is 211.218.149.7, has tried to login through SSH to your machine, with the username of root. After ten attempts, they have (been) disconnected.

If no-one who should have access to your system has the IP address 211.218.149.7, then I'd consider disabling root logins in ssh.conf.

Quote:

Also lines such as this appeared twice:

Sept. 23 00:28:30 firewall sshd [19747]: fatal: Read from socket failed: Connection reset by peer

I tracerouted this IP and his 14 hops from me. Is the time stamp in his local time?

No, the time stamp is generated by syslog when the log message is written, so it willl be in your computer's local time, as returned by the command:
Code:

date

gani 09-22-2004 05:54 AM

I just put that ssh remote login, I won't use it actually since I'm just practicing with OpenBSD. I will just disable root login as you suggested. Enway, hackers has nothing to find really important in my practice box, just the config files.

I asked about the time stamp because it seems that it's already 12:28 (00:28) AM in his place of Sept. 23, and we are still at Sept. 22 here, 6:50PM and it looks like that his ahead by almost 7 hrs.

Thanks!

rjlee 09-22-2004 06:01 AM

Quote:

Originally posted by gani
I just put that ssh remote login, I won't use it actually since I'm just practicing with OpenBSD. I will just disable root login as you suggested. Enway, hackers has nothing to find really important in my practice box, just the config files.
An intruder would find a box quite suitable for common intrusive tasks, such as sending spam.

Quote:

I asked about the time stamp because it seems that it's already 12:28 (00:28) AM in his place of Sept. 23, and we are still at Sept. 22 here, 6:50PM and it looks like that his ahead by almost 7 hrs.

Thanks!

It could be that it's reporting in GMT, or that you have the wrong timezone set up.

gani 09-22-2004 08:14 AM

I remembered that I set it up using Singapore time zone since we lying on the same zone with Singapore, Taiwan, Hongkong and Perth.

Spam....well you're right. Why I never think of that.

Tnx.

chort 09-22-2004 12:31 PM

Edit /etc/ssh/sshd_config and make sure the line
PermitRootLogin
is set to no and does not have a # in front of it, then find the PID of the main sshd (using ps and grep) and send it a -HUP signal using the kill command. If you don't need to ever login to your box from outside your network, then you should remove 22 from internet_services and reload your PF rules.

gani 09-23-2004 01:19 AM

K tnx!

Are these reports are also being logged on files? Where can it be found?

What intrusion detection is OBSD using?

And one more, if I want to immediately monitor incoming connections, what command will I have to execute? I just noticed the verbose after some minutes that the box has become idle, just like a screen saver.

OpenBSD is really great! Policing every connections and immediately reporting it verbosely.

Will it be possible seeing that via remote OBSD box?

chort 09-23-2004 02:05 AM

It should be logged to /var/log/authlog

You can see connections in various states with
$ netstat -anf inet |grep -v LISTEN

You can also use
# pfctl -s state
if PF is enabled, this will show traffic that has matched PF rules and is in limbo or established.


All times are GMT -5. The time now is 09:26 AM.