LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-10-2004, 04:05 PM   #1
4j9er
LQ Newbie
 
Registered: Aug 2004
Posts: 2

Rep: Reputation: 0
Question Logs Explained - Newbie


Can someone please explain the following log to me. I'm new and would like to understand the basic process of what is exactly occuring.


Aug 6 03:22:58 nestle sshdu[26359]: log: Connection from
213.233.104.142 port 1479
Aug 6 03:22:59 nestle sshdu[26359]: log: reverse mapping
checking gethostbyname for 75dial253.xnet.ro failed -
POSSIBLE BREAKIN ATTEMPT!
Aug 6 03:23:16 nestle sshdu[26359]: log: Password
authentication for root failed.
Aug 6 03:23:16 nestle sshdu[26359]: log: Closing
connection to 213.233.104.142

Thanks,

4j9er
 
Old 08-11-2004, 03:45 PM   #2
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 7.7 (?), Centos 8.1
Posts: 17,895

Rep: Reputation: 2613Reputation: 2613Reputation: 2613Reputation: 2613Reputation: 2613Reputation: 2613Reputation: 2613Reputation: 2613Reputation: 2613Reputation: 2613Reputation: 2613
Somebody is trying to connect from IP 213.233.104.142 from port 1479 on that box.
Your sshd does a lookup of the IP address (213.233.104.142), gets the name address 75dial253.xnet.ro,
then uses the library call gethostbyname to see if it gets the orig number IP (213.233.104.142),
back again.
It dosn't get the same num back, so it concludes it's a possible break-in attempt, and refuses the connection.
Any legit box should resolve it's IP num eg 1.2.3.4 to a name address eg box1.some.where.ctry,
then if you run gethostbyname on box1.some.where.ctry, you should get 1.2.3.4 returned.

if you go to RIPE Whois you get:

domain-name: xnet.ro
description: MobiFon S.A. - Connex GSM
description: 3, Nerva Traian Street
description: Complex M101, Sector 3
description: Bucharest, Romania

etc....

HTH
 
Old 08-11-2004, 06:15 PM   #3
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
If you filter ssh access down to only known clients, then you can prevent a lot of unwanted activity.
 
Old 08-12-2004, 10:49 AM   #4
4j9er
LQ Newbie
 
Registered: Aug 2004
Posts: 2

Original Poster
Rep: Reputation: 0
Thanks for the help.

4j9er
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
need LogWatch errors explained MiniMe001 Linux - General 1 06-29-2005 10:17 AM
apache help needed! v well explained drigz Linux - Networking 4 05-18-2004 02:43 PM
User Permission Explained gamehack Debian 6 02-10-2004 09:01 AM
ssh explained LinuxLala Linux - Security 2 10-01-2003 09:11 AM
newbie question: do these logs show a hack attempt lucastic Linux - Security 4 08-13-2003 08:07 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:36 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration