LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 02-10-2014, 08:52 AM   #1
piramiday
Member
 
Registered: Sep 2013
Posts: 43

Rep: Reputation: Disabled
identifying suspicious ssh activity


hey guys,

I've recently found a weird IP address amongst my ntop statistics.
I've managed to get a look at the connection through nethog:
Code:
NetHogs version 0.8.0

  PID USER     PROGRAM                                                   DEV        SENT      RECEIVED
10986 user     sshd: user@pts/0                                          eth1    1293.875     165.113 KB
?     root     192.168.0.10:22-118.123.213.47:42920                                 0.000       0.145 KB
?     root     unknown TCP                                                          0.000       0.000 KB

  TOTAL                                                                          1293.875     165.258 KB
but nethog does not report any PID.
[note: the PID 10986 is mine, I've left it there instead of grepping it away.]
the specified IP address is that of a SSH attacker that has been banned through iptables.
I don't understand whether this is some kind of connection generated by fail2ban or the iptables rdns, or something else.

should I be alerted?
any help's appreciated. thanks!

Last edited by piramiday; 02-10-2014 at 09:09 AM. Reason: clarity
 
Old 02-11-2014, 02:42 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603
RCV 0.145 KB: prolly means their initial request, SND: 0.000 KB: prolly means no reply sent back: grep your SSH log for "-i refused" and you should find the IP address.
 
Old 02-11-2014, 04:33 PM   #3
piramiday
Member
 
Registered: Sep 2013
Posts: 43

Original Poster
Rep: Reputation: Disabled
I certainly hope so, but please note that the attacker IP has been banned through iptables. there is no entry in /var/log/auth.log... what do you mean with "ssh log"? thanks!
 
Old 02-11-2014, 05:27 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603
Quote:
Originally Posted by piramiday View Post
please note that the attacker IP has been banned through iptables.
You say it is but you don't show it is (as in
Code:
JAILLIST=($(fail2ban-client status | awk -F':' '/Jail list:/ {print $2}')); for (( n=0; n<${#JAILLIST[@]}; n++)); do fail2ban-client status ${JAILLIST[$n]//,/}; done
or
Code:
grep 'fail2ban.actions:' /var/log/messages
or
Code:
iptables -t filter -nvxL INPUT | grep 118.123.213.47
I mean).


Quote:
Originally Posted by piramiday View Post
there is no entry in /var/log/auth.log... what do you mean with "ssh log"?
Something like /var/log/secure or whatever equivalent that (r)syslog(-ng) logs "authpriv.*" messages to.
 
Old 02-11-2014, 06:02 PM   #5
piramiday
Member
 
Registered: Sep 2013
Posts: 43

Original Poster
Rep: Reputation: Disabled
well, I say it's banned because it shows up in my iptables -L list.

I have no /var/log/secure, and there is no authpriv logfile...

thanks!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Does IPCop act on Suspicious Activity gizza23 Linux - Security 8 09-27-2007 04:35 PM
Keep track of logs to find suspicious activity leosgb Linux - Security 3 03-04-2006 07:09 PM
Suspicious hard drive activity machinemanagement Red Hat 4 08-25-2005 04:28 PM
suspicious log activity hoedad Linux - Newbie 3 07-26-2004 08:33 AM
Stopping suspicious ICMP activity tarballedtux Linux - Security 1 02-03-2002 08:11 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 03:24 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration