LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-23-2009, 10:05 AM   #1
mdg
Member
 
Registered: Sep 2003
Distribution: Slackware
Posts: 626

Rep: Reputation: 38
Possible attempted hack?


I have very little experience in security matters, so I would appreciate any input.

Noticed these two notifications in /var/log/messages today:
Code:
Mar 23 10:57:41 slack sshd[12012]: Did not receive identification string from 172.**.***.254
Mar 23 13:24:57 slack sshd[17393]: Failed password for root from 172.**.***.254 port 1459 ssh2
I don't recognize the ip. Is this harmless or should I be concerned?
 
Old 03-23-2009, 10:10 AM   #2
rsciw
Member
 
Registered: Jan 2009
Location: Essex (UK)
Distribution: Home: Debian/Ubuntu, Work: Ubuntu
Posts: 206

Rep: Reputation: 44
that's normal when you have a box connected to the internet (be it directly or through any other means).

some machines out there run port scanners and then (or w/o running scanners before maybe as well *shrug*) run a bot program
to try a combination of usernames & passwords, or only passwords with un=root.

Depending how your machine is set up, it's a risk or not.
external root login is usually disabled, but I think sshd though allows it by default, so have to change that in config.

I usually just add their IPs to the iptables list
 
Old 03-23-2009, 10:31 AM   #3
rweaver
Senior Member
 
Registered: Dec 2008
Location: Louisville, OH
Distribution: Debian, CentOS, Slackware, RHEL, Gentoo
Posts: 1,833

Rep: Reputation: 167Reputation: 167
Quote:
Originally Posted by mdg View Post
I have very little experience in security matters, so I would appreciate any input.

Noticed these two notifications in /var/log/messages today:
Code:
Mar 23 10:57:41 slack sshd[12012]: Did not receive identification string from 172.**.***.254
Mar 23 13:24:57 slack sshd[17393]: Failed password for root from 172.**.***.254 port 1459 ssh2
I don't recognize the ip. Is this harmless or should I be concerned?
Something like this will get rid of repeated attempts:

Code:
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 360 --hitcount 3 --name SSHATTEMPTS --rsource -j DROP
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSHATTEMPTS --rsource
Something like this will reject further attempts from that location:

Code:
iptables -I INPUT -s 124.38.246.51 -j DROP
Of course you need to save those somewhere that will be executed on startup if you want them to persist between reboots.

As the other person who replied mentioned, this is a common occurrence for any machine on the internet, if you move the ssh port to something in the normal dataport range you might have better luck not getting port scanned and turning off root logins for ssh is always advisable unless you have a specific need for it.
 
Old 03-23-2009, 10:41 AM   #4
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by mdg
Code:
Mar 23 10:57:41 slack sshd[12012]: Did not receive identification string from 172.**.***.254
Mar 23 13:24:57 slack sshd[17393]: Failed password for root from 172.**.***.254 port 1459 ssh2
I don't recognize the ip. Is this harmless or should I be concerned?
Not harmless. To implement the "disable root login" suggestions, add the following directive to sshd_config and then reload sshd.
Code:
PermitRootLogin no
Going forward, ssh to your server as a regular user and then su to root.
 
Old 03-24-2009, 05:18 AM   #5
maxut
Senior Member
 
Registered: May 2003
Location: istanbul
Distribution: debian - redhat - others
Posts: 1,188

Rep: Reputation: 50
to get rid of those attempts, i always disable root login in sshd config and install denyhosts (1).
Denyhosts reads the logs then it blocks the ip addresses that try to login with incorrect user or pass via ssh. it uses /etc/hosts.deny


(1) http://denyhosts.sourceforge.net/

regards
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Attempted to kill init? netnamnetviet Linux - Server 2 03-16-2009 10:43 AM
Attempted to kill init matters Slackware 16 05-22-2007 11:46 AM
What to do about attempted buffer overflows c4onastick Linux - Security 12 11-05-2006 08:04 PM
Attempted advertising ... jarrell Linux - Newbie 1 06-27-2006 01:28 PM
Attempted to get X setup Zeno McDohl Linux - Newbie 1 01-17-2006 12:20 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:08 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration