New to Linux, Getting a logwatch email about Possible Break In Attempt
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
New to Linux, Getting a logwatch email about Possible Break In Attempt
Hi everyone,
I am new to Linux and I have a dedicated server running centOS, Pleask 9.2 and I have a received a logwatch email talking about a Possible Break In Attempt.
Can anyone help me out and let me know what I can do to increase security?
I saw a post about changing the sshd port, but I don't know if this is a good idea or not.
Any tips or suggestions would be great.
Here is the logwatch
--------------------- pam_unix Begin ------------------------
---------------------- pam_unix End -------------------------
--------------------- SSHD Begin ------------------------
Failed logins from:
89.175.254.190: 22 times
91.203.224.20 (gate.fly-net.ru): 2 times
186.36.144.229: 216 times
186.83.37.19 (Dynamic-IP-186833719.cable.net.co): 219 times
190.218.187.184 (cpe-001e3348a527.cpe.cableonda.net): 156 times
Illegal users from:
89.175.254.190: 1 time
91.203.224.20 (gate.fly-net.ru): 2 times
**Unmatched Entries**
pam_succeed_if(sshd:auth): error retrieving information about user asis : 1 time(s)
reverse mapping checking getaddrinfo for dynamic-ip-186833719.cable.net.co failed - POSSIBLE BREAK-IN ATTEMPT! : 219 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user shit : 1 time(s)
Address 190.218.187.184 maps to cpe-001e3348a527.cpe.cableonda.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! : 156 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user administrador : 1 time(s)
---------------------- SSHD End -------------------------
I have a received a logwatch email talking about a Possible Break In Attempt.
The "Address X maps to Y, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT" means the hostname does not match with what the IP address resolves to. Seldom related to spoofing these days, more commonly bad DNS (PTR) record management.
Quote:
Originally Posted by Blueleaf
Can anyone help me out and let me know what I can do to increase security?
I saw a post about changing the sshd port, but I don't know if this is a good idea or not.
I am new to Linux and I have a dedicated server running centOS, Pleask 9.2
Please note that being able to run a web-based server management panel does not make one knowledgeable or an "admin" overnight. Please invest time to learn and practice.
Thank you,
I am looking at the following from the Failed SSH link you posted.
Quote:
Make use of the AllowUser, DenyUser tags in sshd_config. Make sure you list exactly who should and who should not
login. IMO, never, ever allow root.
sshd_config:
Code:
# Explicitly set who can and who can not login by way of ssh
AllowGroups users
AllowUsers tom joe harry
# Everything that isn't above
DenyGroups root bin daemon sys adm tty disk lp mem kmem wheel floppy mail news uucp man games slocate utmp smmsp mysql rpc sshd shadow ftp nogroup console xcdwrite
DenyUsers root bin daemon adm lp sync shutdown halt mail news uucp operator games ftp smmsp mysql rpc sshd nobody test guest user admin apache www wwwrun httpd irc
How would I be able to access the sshd_config file if I disable the root? My user isn't able edit or modify that file?
How would I be able to access the sshd_config file if I disable the root? My user isn't able edit or modify that file?
Disabling root login over the network is a security best practice. It doesn't restrict you from doing damage working as usual. As root install sudo and then edit /etc/sudoers (using visudo, not a text editor!). After disabling root SSH login you log in as unprivileged user and then perform tasks as root using sudo.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.