I was updating my system with emerge, so I went to read a little bit. When I came back 45 minutes later to check how it was going, my system had rebooted.
I checked in the log, and the last inputs befor the system reboot was all like this one:
Code:
Mar 14 14:55:41 MetalGear sshd[2911]: Invalid user oracle from 218.38.18.28
And now, maybe it isn't related to these attacks, but by the reboot while emerging, but each time I logon, with any user, I got these output:
Code:
configuration error - unknown item 'FAILLOG_ENAB' (notify administrator)
configuration error - unknown item 'LASTLOG_ENAB' (notify administrator)
configuration error - unknown item 'MOTD_FILE' (notify administrator)
configuration error - unknown item 'FTMP_FILE' (notify administrator)
configuration error - unknown item 'ENV_ROOTPATH' (notify administrator)
configuration error - unknown item 'PASS_MIN_LEN' (notify administrator)
configuration error - unknown item 'CHFN_AUTH' (notify administrator)
Here's a part of the log about theses attacks (got it with cat /var/log/messages | grep "Invalid user"). It's just a small part of the output as there's just too much.
Code:
Feb 20 09:36:32 MetalGear sshd[24294]: Invalid user linux from 212.249.5.243
Feb 20 09:14:47 MetalGear sshd[21168]: Invalid user adan from 218.28.168.85
Feb 20 09:15:21 MetalGear sshd[21279]: Invalid user adelbert from 218.28.168.85
Feb 20 09:15:26 MetalGear sshd[21304]: Invalid user adham from 218.28.168.85
Feb 20 09:15:32 MetalGear sshd[21309]: Invalid user adlai from 218.28.168.85
Feb 20 09:15:37 MetalGear sshd[21314]: Invalid user adler from 218.28.168.85
Feb 20 09:21:06 MetalGear sshd[22499]: Invalid user a from 212.249.5.243
Feb 20 09:21:12 MetalGear sshd[22505]: Invalid user b from 212.249.5.243
Feb 20 09:37:09 MetalGear sshd[24459]: Invalid user passwd from 212.249.5.243
Feb 20 09:37:11 MetalGear sshd[24464]: Invalid user change from 212.249.5.243
Feb 20 09:37:13 MetalGear sshd[24469]: Invalid user mwyatt from 212.249.5.243
Feb 20 09:37:22 MetalGear sshd[24484]: Invalid user vcsa from 212.249.5.243
Mar 13 13:09:38 MetalGear sshd[9315]: Invalid user test from 66.232.8.37
Mar 13 13:09:39 MetalGear sshd[9320]: Invalid user guest from 66.232.8.37
Mar 13 13:09:41 MetalGear sshd[9325]: Invalid user admin from 66.232.8.37
Mar 13 13:09:46 MetalGear sshd[9330]: Invalid user admin from 66.232.8.37
Mar 13 13:09:47 MetalGear sshd[9335]: Invalid user user from 66.232.8.37
Mar 13 13:09:55 MetalGear sshd[9355]: Invalid user test from 66.232.8.37
Mar 14 13:06:08 MetalGear sshd[21064]: Invalid user staff from 211.239.154.87
Mar 14 13:06:10 MetalGear sshd[21098]: Invalid user sales from 211.239.154.87
Mar 14 13:06:28 MetalGear sshd[21355]: Invalid user webadmin from 211.239.154.87
I got 1940 of those entries since feb 20 :S And it's not always the same IP adress...
Now, what can I do with this?