Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
11-07-2007, 03:02 AM
|
#1
|
LQ Newbie
Registered: Nov 2007
Posts: 2
Rep:
|
question about hack attempt
I am fairly new with linux and am running linux on a dv server.
I opened up my messages log file for the first time and found hundreds of lines similar to this:
Nov 4 22:22:05 xxxxx sshd(pam_unix)[24000]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61-219-188-112.hinet-ip.hinet.net user=root
Nov 4 22:22:09 xxxxxx sshd(pam_unix)[24162]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61-219-188-112.hinet-ip.hinet.net user=root
and
Nov 4 10:57:28 xxxxxx sshd(pam_unix)[30026]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=mayomo.icnhost.net user=root
Nov 4 10:52:49 xxxxxxx sshd(pam_unix)[13864]: check pass; user unknown
Nov 4 10:52:49 xxxxxxx sshd(pam_unix)[13864]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=mayomo.icnhost.net
Im assuming these are attempts at gaining root access and using mail services? how can I stop these attempts and block the ip's/domains and check to see if they've been successful? Im now worried that my lack of attention to logs means iv left myself open to getting screwed.
|
|
|
11-07-2007, 03:17 AM
|
#2
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
well to stop them, check out a tool like fail2ban, which reads these logs and automatically inserts rules to stop the source ip connecting. if you additionally configure ssh to deny root logins, check /etc/sshd_config, then you should be able to be very comfortable that they won't be able to guess a potentially valid user account to attack on before fail2ban has blocked their access. if you already have potential concerns then a root kit tool like rkhunter is worth running to check you're ok.
|
|
|
11-07-2007, 03:25 AM
|
#3
|
LQ Newbie
Registered: Nov 2007
Posts: 2
Original Poster
Rep:
|
Quote:
Originally Posted by acid_kewpie
well to stop them, check out a tool like fail2ban, which reads these logs and automatically inserts rules to stop the source ip connecting. if you additionally configure ssh to deny root logins, check /etc/sshd_config, then you should be able to be very comfortable that they won't be able to guess a potentially valid user account to attack on before fail2ban has blocked their access. if you already have potential concerns then a root kit tool like rkhunter is worth running to check you're ok.
|
thx. just started doing some research. seems these attempts are common. possibly going to lock all ips out from ssh except my own and look into fail2ban
|
|
|
11-07-2007, 03:28 AM
|
#4
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
oh they are extremely common. someone has a bot just scanning for port 22 across the net, somethign answers and a dictionary attack follows... very rare to actually get compromised, but prcuations are obviosuly good...
|
|
|
All times are GMT -5. The time now is 12:54 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|