Fedora 11; Missing a day in /var/log/secure Puzzled, and concerned...
Hi,
I have a Fedora 11 server exposed to the Internet through the DMZ in my Astaro security box. Every morning I get an email listing all of the bad attempts to gain ssh access. Most days I get one or two IP addresses that have tried hundreds of times to log in as root, unknown, and/or other well known users. As to date, none have been successful. Every time I find an IP address that has tried this, I look up the network that the IP belongs to, and send them an email along with log entries showing when the foreign host tried to break in. I then add an extra line to iptables blocking the entire class C network around the IP in question. I've been doing this for a few months now, and hopefully, I've helped eliminate at least one or two hackers. (I would love to see footage of an F-16 rolling in on their home, and dropping napalm, but, I would settle for just knowing that they lost their ISP.
My question is that last week when I was checking my logs (/var/log/secure), I noticed that I have an entire day missing. I don't know that this is indicative of a successful break in because nothing appears to be wrong, but, I'm a little concerned. Has anybody else noticed Nov 6th missing from /var/log/secure*?
I know the server was up, and that iptables was active.
Also, I've added some additional lines to iptables after reading an article on security that was supposed to disable a given host for 5 minutes after 5 bad attempts within 5 minutes as a way to automatically block attempts without having to block the IP addresses, and this doesn't seem to be working:
Chain SSH (1 references)
target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 recent: UPDATE seconds: 300 name: SSH_COUNTER side: source reject-with icmp-port-unreachable
SSH_BLACKLIST all -- 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 60 hit_count: 5 name: SSH side: source
LOG all -- 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 2 name: SSH side: source LOG flags 0 level 4 prefix `Added: '
REJECT all -- 0.0.0.0/0 0.0.0.0/0 recent: UPDATE seconds: 2 name: SSH side: source reject-with icmp-port-unreachable
LOG all -- 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: SSH_COUNTER side: source LOG flags 0 level 4 prefix `Removed: '
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 recent: SET name: SSH side: source
Chain SSH_BLACKLIST (1 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 recent: SET name: SSH_COUNTER side: source LOG flags 0 level 4 prefix `Blocked: '
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
If anybody has any idea why this is failing, I would appreciate your thoughts.
One other question... Is there any global authority that one should report attempted break ins to? I would love to contribute in a meaningful way to putting some hackers away.
Regards,
Jerry Lumpkins
|