LinuxQuestions.org
Help answer threads with 0 replies.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page attacks noticed /var/mail/root
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-09-2005, 06:52 PM   #1
blizunt7
Member
 
Registered: Mar 2004
Distribution: Fedora Core 1,2,3, RHEL3,4,5 Ubuntu
Posts: 274

Rep: Reputation: 30
attacks noticed /var/mail/root

Hey all, in my ultimate bordeum, i have been searching some log files for any irregular activity. I have found some, and looking for advice.

In the /var/mail/root file, which is very lengthy, i have found requests for ssh2 access using random ports, and random names. Such as:

Invalid user test from ::ffff:202.157.183.2
Failed password for invalid user test from ::ffff:202.157.183.2 port 56961 ssh2
Invalid user guest from ::ffff:202.157.183.2
Failed password for invalid user guest from ::ffff:202.157.183.2 port 57805 ssh2Invalid user admin from ::ffff:202.157.183.2
Failed password for invalid user admin from ::ffff:202.157.183.2 port 58239 ssh2Invalid user admin from ::ffff:202.157.183.2
Failed password for invalid user admin from ::ffff:202.157.183.2 port 58673 ssh2Invalid user user from ::ffff:202.157.183.2
Invalid user server from ::ffff:149.156.153.164
Failed password for invalid user server from ::ffff:149.156.153.164 port 33644 ssh2
Invalid user alan from ::ffff:149.156.153.164
Failed password for invalid user alan from ::ffff:149.156.153.164 port 34458 ssh2
Invalid user frank from ::ffff:149.156.153.164
Failed password for invalid user frank from ::ffff:149.156.153.164 port 34864 ssh2
Invalid user george from ::ffff:149.156.153.164
Failed password for invalid user george from ::ffff:149.156.153.164 port 34870 ssh2


many many lines of this exist. The part that really bugs, me, is the random user names, which leads me to believe this is definitly a hacker tryin to access my system.

My sshd_config file specifies ssh2 protocal, and only 3 usernames.
I have no definitions in my IP tables, as my machine is already behind a filewall.

Does anyone know what or where these requests may be coming from?
And is there anything i can do to prevent such attacks.
 
Old 05-09-2005, 09:39 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
There is a large thread posted on this topic towards the top of the forum. You can find info there on the scanning tool (brutessh2) as well as means of preventing it (using key-based authentication, running ssh on an alternate port, limiting access to only a few IPs with hosts.allow/deny).
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
/var/spool/mail/root mail message absalon Linux - General 1 07-04-2005 09:08 PM
sendmail error Fetching mail could not lock /var/spool/mail/username sukhdev50 Linux - Networking 0 05-04-2005 03:41 AM
How to read /var/spool/mail/root? neo_in_matrix Linux - Newbie 1 04-04-2005 08:49 PM
Spam in /var/spool/mail/root Nutska1 Linux - Networking 4 06-11-2004 02:35 PM
/var/spool/mail/root j-me Linux - Newbie 5 02-14-2003 06:48 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:58 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration