LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Other *NIX Forums > *BSD
User Name
Password
*BSD This forum is for the discussion of all BSD variants.
FreeBSD, OpenBSD, NetBSD, etc.

Notices


Reply
  Search this Thread
Old 09-22-2004, 04:51 AM   #1
gani
Member
 
Registered: Jun 2004
Location: Metro Manila, Philippines
Distribution: Linuxmint, Slackware
Posts: 356

Rep: Reputation: 34
What does these logs mean?


I've seen these messages on my XTerm console and I'm wandering what these stuffs mean:

Sept. 23 00:28:12 firewall sshd [5460]: Failed password for root from 211.218.149.7 port 45877 ssh2
Sept. 23 00:28:12 firewall sshd [24770]: Failed password for root from 211.218.149.7 port 45877 ssh2

It has appeared up to 5 times and then after the fifth appearance a message like this appeared:

Sept. 23 00:28:16 firewall sshd [327]: Received disconnect from 211.218.149.7:11: Bye bye

Is it someone from the net is envading and trying to crack the root password in my box?

Also lines such as this appeared twice:

Sept. 23 00:28:30 firewall sshd [19747]: fatal: Read from socket failed: Connection reset by peer

I tracerouted this IP and his 14 hops from me. Is the time stamp in his local time?

For some comments, here is my pf.conf that I copied from OpenBSD's FAQ page and with few facelifts:

# PF FILTERING RULESET
# DEFINING MY BSD'S MACROS
# rl0 = Realtek 8139, connected to ADSL
# dc0 = Linksys LNE 10/100Tx
# lan_net = local/internal network
# internet_services = 22 (ssh), 113 (Auth/Ident) for SMTP and IRC
# icmp_types = reply to ping echo request
# rfc_addresses = RFC 1918 addresses will be blocked from exiting & entering

ext_if = "rl0"
int_if = "dc0"
lan_net = "192.168.0.0/24"
internet_services = "{ 22, 113}"
icmp_types = "echoreq"
rfc_addresses = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

# OPTION
set block-policy return
set loginterface $ext_if

# SCRUB FRAGMENTED INCOMING PACKETS, DEFRAGMENT

scrub in all

# ENABLE INTERNAL NETWORK ADDRESS TRANSLATIONS

nat on $ext_if from $lan_net to any -> ($ext_if)

# REDIRECTION: ALLOW INT_NETWORK INTERNET FTP ACCESS

rdr on $int_if proto tcp from any to any port { 21, 2121 } -> 127.0.0.0 \
port 8021

# SETUP A DEFAULT DENY POLICY

block in all
block out all

# PASS TRAFFIC ON THE LOOPBACK INTERFACE IN EITHER DIRECTION

pass quick on lo all

# ACTIVATE SPOOFING PROTECTION FOR THE INTERNAL INTERFACE

antispoof quick for { lo, $int_if } inet

# RFC 1918 ADDRESSES WILL BE BLOCKED FROM EXITING & ENTERING

block drop in quick on $ext_if from $rfc_addresses to any
block drop out quick on $ext_if from any to $rfc_addresses

# OPEN PORTS FOR SERVICES DEFINED ABOVE TO BE AVAILABE TO THE INTERNET

pass in on $ext_if proto tcp from any to ($ext_if) \
port $internet_services flags S/SA keep state

# ALLOW ICMP TRAFFIC

pass in inet proto icmp all icmp-type $icmp_types keep state

# PASS TRAFFIC TO FROM INTERNAL NETWORK

pass in on $int_if from $lan_net to any keep state
pass out on $int_if from any to $lan_net keep state

# PASS OUT ALL TRAFFIC ON $ext_if

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
 
Old 09-22-2004, 05:21 AM   #2
rjlee
Senior Member
 
Registered: Jul 2004
Distribution: Ubuntu 7.04
Posts: 1,991

Rep: Reputation: 76
Re: What does these logs mean?

Quote:
Originally posted by gani
I've seen these messages on my XTerm console and I'm wandering what these stuffs mean:

Sept. 23 00:28:12 firewall sshd [5460]: Failed password for root from 211.218.149.7 port 45877 ssh2
Sept. 23 00:28:12 firewall sshd [24770]: Failed password for root from 211.218.149.7 port 45877 ssh2

It has appeared up to 5 times and then after the fifth appearance a message like this appeared:

Sept. 23 00:28:16 firewall sshd [327]: Received disconnect from 211.218.149.7:11: Bye bye

Is it someone from the net is envading and trying to crack the root password in my box?
The log messages mean that someone, whose public IP address is 211.218.149.7, has tried to login through SSH to your machine, with the username of root. After ten attempts, they have (been) disconnected.

If no-one who should have access to your system has the IP address 211.218.149.7, then I'd consider disabling root logins in ssh.conf.

Quote:
Also lines such as this appeared twice:

Sept. 23 00:28:30 firewall sshd [19747]: fatal: Read from socket failed: Connection reset by peer

I tracerouted this IP and his 14 hops from me. Is the time stamp in his local time?
No, the time stamp is generated by syslog when the log message is written, so it willl be in your computer's local time, as returned by the command:
Code:
date
 
Old 09-22-2004, 05:54 AM   #3
gani
Member
 
Registered: Jun 2004
Location: Metro Manila, Philippines
Distribution: Linuxmint, Slackware
Posts: 356

Original Poster
Rep: Reputation: 34
I just put that ssh remote login, I won't use it actually since I'm just practicing with OpenBSD. I will just disable root login as you suggested. Enway, hackers has nothing to find really important in my practice box, just the config files.

I asked about the time stamp because it seems that it's already 12:28 (00:28) AM in his place of Sept. 23, and we are still at Sept. 22 here, 6:50PM and it looks like that his ahead by almost 7 hrs.

Thanks!
 
Old 09-22-2004, 06:01 AM   #4
rjlee
Senior Member
 
Registered: Jul 2004
Distribution: Ubuntu 7.04
Posts: 1,991

Rep: Reputation: 76
Quote:
Originally posted by gani
I just put that ssh remote login, I won't use it actually since I'm just practicing with OpenBSD. I will just disable root login as you suggested. Enway, hackers has nothing to find really important in my practice box, just the config files.
An intruder would find a box quite suitable for common intrusive tasks, such as sending spam.

Quote:
I asked about the time stamp because it seems that it's already 12:28 (00:28) AM in his place of Sept. 23, and we are still at Sept. 22 here, 6:50PM and it looks like that his ahead by almost 7 hrs.

Thanks!
It could be that it's reporting in GMT, or that you have the wrong timezone set up.
 
Old 09-22-2004, 08:14 AM   #5
gani
Member
 
Registered: Jun 2004
Location: Metro Manila, Philippines
Distribution: Linuxmint, Slackware
Posts: 356

Original Poster
Rep: Reputation: 34
I remembered that I set it up using Singapore time zone since we lying on the same zone with Singapore, Taiwan, Hongkong and Perth.

Spam....well you're right. Why I never think of that.

Tnx.
 
Old 09-22-2004, 12:31 PM   #6
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 75
Edit /etc/ssh/sshd_config and make sure the line
PermitRootLogin
is set to no and does not have a # in front of it, then find the PID of the main sshd (using ps and grep) and send it a -HUP signal using the kill command. If you don't need to ever login to your box from outside your network, then you should remove 22 from internet_services and reload your PF rules.
 
Old 09-23-2004, 01:19 AM   #7
gani
Member
 
Registered: Jun 2004
Location: Metro Manila, Philippines
Distribution: Linuxmint, Slackware
Posts: 356

Original Poster
Rep: Reputation: 34
K tnx!

Are these reports are also being logged on files? Where can it be found?

What intrusion detection is OBSD using?

And one more, if I want to immediately monitor incoming connections, what command will I have to execute? I just noticed the verbose after some minutes that the box has become idle, just like a screen saver.

OpenBSD is really great! Policing every connections and immediately reporting it verbosely.

Will it be possible seeing that via remote OBSD box?
 
Old 09-23-2004, 02:05 AM   #8
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 75
It should be logged to /var/log/authlog

You can see connections in various states with
$ netstat -anf inet |grep -v LISTEN

You can also use
# pfctl -s state
if PF is enabled, this will show traffic that has matched PF rules and is in limbo or established.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Ubuntu logs on, then logs back off generallee5686 Ubuntu 0 10-20-2005 01:11 PM
Firewall logs in logs and terminal... robbow52 Debian 7 11-20-2004 07:13 PM
Firefox logs user out? Where are error logs? case1984 Linux - General 0 10-09-2004 02:22 PM
Separate firewall logs and general logs dominant Linux - General 3 04-20-2004 01:26 AM
Apache logs - ???Linux logs??? mylo2003 Linux - General 3 08-07-2003 04:49 PM

LinuxQuestions.org > Forums > Other *NIX Forums > *BSD

All times are GMT -5. The time now is 03:01 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration