Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Used many over the years, main ones now "CentOS", Slackware and Arch
Posts: 31
Rep:
Centos 5 vsftpd /var/log/secure question
Hi
This is going to sound REALLY dumb but here goes.
I have just updated my server to Centos 5. According to a swift "yum list" I am running version 2.0.5-10.el5 of vsftpd.i386
My 'logwatch' shows repeated failed attemots to log in to my server's vsftpd daemon as 'root', 'admin' and 'administrator' from a machine identified as 'astroplasma.Berkeley.Edu'
Scrutiny of /var/log/secure shows multiple entries similar to this
Is there really a hacker inside the Berkeley.Edu domain doing his best to climb into my server in violation of the UK Computer Misuse Act 1990 or can the /var/log/secure entries be 'spoofed' / 'forged' in the same way that email headers can be. Is the /var/log/secure entry created from some sort of reverse dns lookup of is it just the text from their "username" prompt
You see, if someone inside Berkeley.EDU really *IS* trying to grope my server's bits them I feel the need to have him/her spanked, or at least have it pointed out to them that such behaviour, if perpetrated in the UK, gets you prison time.
However I don't want to look a damn fool emailing the abuse department of what is arguably one of the serious computer centres of the world if what's actually happenned is some two-bit romanian or brazilian has tried to climb in using their domain name in his repose to my ftp 'login' prompt !
Any pointers to where I should be looking for answers gratefully received (!)
I have been looking into a similar issue with fail2ban and banning failed vsftpd entries. Basically either somebody has access to their reverse DNS records and spoofed that they are from Berkeley, someone is using a compromised Berkeley computer as a launch point, or someone in Berkeley is actually trying to get into your system. Most likely it's #2, and I would report it to their abuse department (if there was a security breach, they will be happy you did). I also advise you to look into Fail2ban (I have it running on CentOS 5 as well). It does work, but occasionally somebody can screw with their reverse DNS records and you will be unable to ban them. Make sure you disable root logins in vsftpd also.
I take back the second-to-last sentence in my first post; it turns out that there was some issues with 0.8.0 of Fail2ban's regex, so now 0.8.1 bans everything Highly recommended, and pretty easy to setup. Simplest instructions: download it, extract it, run the install script, change the "enabled" to true in jail.conf, and then fail2ban-client start You should have some way to do that every bootup though (rc.local works fine).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.