Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
client 127.0.0.1 RFC 1918 response from Internet for 1.2.168.192.in-addr.arpa: 2484 Time(s)
client 127.0.0.1 RFC 1918 response from Internet for 100.1.168.192.in-addr.arpa: 6 Time(s)
client 127.0.0.1 RFC 1918 response from Internet for 99.2.168.192.in-addr.arpa: 114 Time(s)
This happens because you don't have configured a zone for 192.168.2/24 subnet. If you use this subnet for your LAN, then you should setup a zone for it. Else you can define an empty zone to get rid of these messages.
This thread may shed some light on what is happening. It kind of looks like you're running a DNS that might not be properly configured. Now if you aren't running a DNS, that might indicate a more serious issue.
As for the FTP brute force, that happens to everyone with an FTP server. If you don't need it accessible from the internet, block it with a firewall. If you do need it accessible from the internet, make sure you've got strong passwords on any accounts that are allowed access.
I am not running DNS on this box I let my ISP handle the DNS records.
So, I got 2 different opinions... is there a concensus that this is an issue not to worry about or should I keep digging?
the more I read about FTP the more I realize someone is always going to be trying to hack it, I will head your advice and revise my passwording schemes.
I agree with bathory, so far this looks like a DNS problem that may be innocent, but since we really don't have a lot to go on, it doesn't hurt to dig a little deeper. Things to look at:
lsof -Pwn
ps -afwwwe
netstat -anpe
You're looking for things that shouldn't be there. We could also use a better description of the machine in question, particularly the distro you're using, the services it is hosting and how it is connected to the internet. If you're running a web server, what applications are running on it?
Finally, is this the only logwatch entry for this or has it been going on for some time? Is there anything else suspicious in the log (particularly before this started). Were any of the FTP log in attempts successful? Have you looked at the log files directly for unusual events? Your comment about passwords is mildly disturbing. Are there any password based access services besides FTP (I'm thinking SSH) that someone may have been able to access?
You don't need bind for dns services, but maybe it's needed by your resolver.
Make sure that there is no entry for localhost in /etc/resolv.conf and if it exists, replace it with your ISP's dns IP
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.