IPs logged as D.C.B.A and some times A.B.C.D how to find which format is logged
I see two different type of log messages in my /var/log/auth.log file
one is Quote:
Quote:
240.135.121.200 now the log of type one above is also present and some at some places log of type2. If you note the IP logged in in both cases the type1 logged as Quote:
Quote:
which is recorded in reverse fashion. So like this at many places the order in which it is recorded is reverse. My problem is looking at the logs how do I find the IP from where connection originated when is it logged as A.B.C.D and when it is logged as D.C.B.A I am not sure from the log of type 1 I quoted above that the IP I should block should be 115.69.217.3 or 3.217.69.115 |
I don't see any issue there at all. The "reverse" IP address, "200.121.135.240.speedy.net.pe", is clearly NOT an IP address, but a hostname, which is totally arbitrary based upon the practises of the ISP. The detail in the square brackets is the real IP address, there is no logical conflict here at all, it is NEVER logged as "D.C.B.A"
|
Quote:
|
Quote:
|
Quote:
There is one more log Quote:
|
I have no idea what you're trying to achieve here. there is no problem to solve.
|
Quote:
g 17:51:57 sshd[13942]: Invalid user admin from 220.80.107.196 g 17:52:05 sshd[13965]: Invalid user test from 220.80.107.196 g 17:52:13 sshd[13986]: Invalid user test from 220.80.107.196 g 17:52:20 sshd[14009]: Invalid user user from 220.80.107.196 g 17:52:28 sshd[14029]: Invalid user user from 220.80.107.196 g 17:52:36 sshd[14050]: Invalid user user1 from 220.80.107.196 g 17:52:44 sshd[14071]: Invalid user user1 from 220.80.107.196 g 17:52:52 sshd[14092]: Invalid user user1 from 220.80.107.196 g 17:53:00 sshd[14112]: Invalid user user from 220.80.107.196 g 17:53:07 sshd[14133]: Invalid user user1 from 220.80.107.196 sshd[12626]: Did not receive identification string from 220.80.107.196 |
Pasting some logs and saying nothing else is not useful.
|
In the above log you see the person with above IP was trying different user names and in the last line I read Did not recieve identification string.
So some logs are Invalid user user1 from 220.80.107.196 while some are Did not receive identification string from 220.80.107.196 both from same IP.I want to know that looking at the above logs what can I deduce 1) The person was trying different user names on ssh 2) What can I infer from this log Quote:
|
The "Did not receive" messages are probably just dumb port scans. An ssh client will, on connection, tell the server what program it is. A port scan won't bother doing this.
|
Ok you mean to say in the "Did not recieve" line does that mean the attacker did not even tried for password to some fake account getting frustrated over what ever be the password he tried to scan what service is open at that port.
|
it's the most likely cause, yes.
|
Ok that makes it clear.Thanks for the information.
|
Please run some of your own tests as well against a non-production ssh server and watch the logs to learn what each piece means.
For instance, what will your logs say if you connect to the SSH port and send the string OMGHAX? EDIT: don't use an ssh client for the above test. Just connect with something like netcat or telnet. |
Quote:
Code:
Nov 18 17:48:20 somedomain sshd[32092]: Address 123.30.187.11 maps to static.vdc.vn, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! |
All times are GMT -5. The time now is 11:32 PM. |