Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
These showed up in my logwatch today. Never saw them before and haven't a clue what they are. No idea what ip130.208-100-19.vswitch.static.steadfast.net is or what gethostby is.
Under SSHD
Code:
**Unmatched Entries**
gethostby*.getanswer: asked for "ip130.208-100-19.vswitch.static.steadfast.net IN A", got type "39" : 6 time(s)
Address 85.17.189.146 maps to hosted-by.leaseweb.com , but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! : 2 time(s)
gethostby*.getanswer: asked for "ip130.208-100-19.vswitch.static.steadfast.net IN AAAA", got type "39" : 4 time(s)
What's happening here? And what is type "39"? (I trust that it means "Error! go away!")
What it boils down to is that the guys at static.steadfast.net/leaseweb.com seem to be
using a not yet wholly codified DNS mechanism, one that's not fully satisfying clarity;
the way I see it DNAMEs are bad; others will debate that in favour of the few benefits
they provide.
What it boils down to is that the guys at static.steadfast.net/leaseweb.com seem to be
using a not yet wholly codified DNS mechanism, one that's not fully satisfying clarity;
the way I see it DNAMEs are bad; others will debate that in favour of the few benefits
they provide.
Thanks, Tink.
But my newbie question is: what was the site trying to do? Why is this under SSHD? Were they trying to log in via SSH? (which would have been rejected) And what is code "39"? Is there a place that lists the codes?
Why those people are trying to connect to your server I cannot answer. Is
there anything ELSE in sshd log that pertains to those IPs?
Yes:
Code:
--------------------- SSHD Begin ------------------------
Failed logins from:
85.17.189.146 (hosted-by.leaseweb.com ): 2 times
root/password: 2 times
208.100.19.130 (ip130.208-100-19.vswitch.static.steadfast.net ): 2 times
root/password: 2 times
So SSHD does a DNS lookup on every failed login? And gethostby() is the function it calls to do that?
(Extensive search for gethostby yielded a lot of hits but no enlightenment).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.