Hi
Actually first question just so I understand, why do some forum threads here show 'closed'? For example there was another thread related to my question here (
http://www.linuxquestions.org/questi...d.php?t=340366) that I was going to reply to but it was closed. Just curious.
On to my question...
I have a server set up at home for learning purposes (not a production server). I'm also trying to learn more about security as well as Linux in general, so for me it's interesting when someone tries to break in.
I've put DenyHosts on my server so that after a certain amount of failed root or other user login attempts their IP gets automatically added to /etc/hosts.deny and I get emailed about it.
I then check /var/log/messages and see entries like below, which I have a couple of questions about.
I can see in the log file when someone tries to login as root, postfix, named, etc.... But what are the other entries that don't have any username beside them?
For example here is part of an attempt from yesterday:
[root@server ~]# grep 125.7.199.246 /var/log/messages
Feb 1 22:03:15 server sshd(pam_unix)[26261]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:03:19 server sshd(pam_unix)[26263]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:03:24 server sshd(pam_unix)[26265]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:03:29 server sshd(pam_unix)[26267]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:03:33 server sshd(pam_unix)[26269]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:03:38 server sshd(pam_unix)[26271]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:03:42 server sshd(pam_unix)[26273]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:03:47 server sshd(pam_unix)[26275]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:03:51 server sshd(pam_unix)[26277]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:03:56 server sshd(pam_unix)[26279]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:04:00 server sshd(pam_unix)[26281]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:04:05 server sshd(pam_unix)[26283]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:04:09 server sshd(pam_unix)[26285]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:04:13 server sshd(pam_unix)[26287]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246 user=ftp
Feb 1 22:04:18 server sshd(pam_unix)[26289]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:04:22 server sshd(pam_unix)[26291]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:04:27 server sshd(pam_unix)[26293]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:04:31 server sshd(pam_unix)[26295]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246 user=postfix
Feb 1 22:04:36 server sshd(pam_unix)[26297]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:04:40 server sshd(pam_unix)[26299]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:04:45 server sshd(pam_unix)[26301]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246 user=root
Feb 1 22:04:49 server sshd(pam_unix)[26303]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:04:54 server sshd(pam_unix)[26305]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:04:58 server sshd(pam_unix)[26307]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:05:04 server sshd(pam_unix)[26309]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:05:08 server sshd(pam_unix)[26311]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:05:13 server sshd(pam_unix)[26313]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:05:18 server sshd(pam_unix)[26315]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246 user=apache
Feb 1 22:05:22 server sshd(pam_unix)[26317]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:05:27 server sshd(pam_unix)[26319]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:05:31 server sshd(pam_unix)[26321]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:05:36 server sshd(pam_unix)[26323]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:05:41 server sshd(pam_unix)[26325]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:05:45 server sshd(pam_unix)[26327]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:05:50 server sshd(pam_unix)[26329]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246 user=named
Feb 1 22:05:54 server sshd(pam_unix)[26331]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:05:59 server sshd(pam_unix)[26333]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:06:04 server sshd(pam_unix)[26335]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:06:08 server sshd(pam_unix)[26337]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:06:13 server sshd(pam_unix)[26339]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:06:18 server sshd(pam_unix)[26341]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:06:22 server sshd(pam_unix)[26343]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246 user=root
Feb 1 22:06:27 server sshd(pam_unix)[26345]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246 user=root
Feb 1 22:06:31 server sshd(pam_unix)[26349]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:06:36 server sshd(pam_unix)[26351]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:06:41 server sshd(pam_unix)[26353]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Feb 1 22:06:46 server sshd(pam_unix)[26355]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246 user=root
Feb 1 22:06:51 server sshd(pam_unix)[26357]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246 user=root
Feb 1 22:06:55 server sshd(pam_unix)[26359]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246 user=root
Feb 1 22:07:00 server sshd(pam_unix)[26361]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246 user=root
Feb 1 22:07:05 server sshd(pam_unix)[26363]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246 user=root
Feb 1 22:07:09 server sshd(pam_unix)[26365]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.7.199.246
Next question, what other log files should I peek in on?
How can I see if my ports are being scanned and from where?
Is the above enough reason to contact the ISP that controls that IP to report this?
Thanks
Nat