Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
08-06-2004, 03:08 PM
|
#1
|
Member
Registered: May 2004
Location: USA
Distribution: Slackware-Current
Posts: 74
Rep:
|
/var/log/messages shows failed login attempts...
Hey there,
I have been looking through my /var/log/messages file and have found that some ppl. out there are trying to connect to my slack box. It kinda pisses me off that there are ppl. trying to log as root! Should I try to contact the persons isp? How do you find a isp with just a ip address? whois doesn't seem to be doing it.
here's a snip of the log:
mingus -- MARK --
mingus sshd[2252]: Illegal user test from 219.117.251.250
mingus sshd[2252]: Failed password for illegal user test from 219.117.251.250 port 44498 ssh2
mingus sshd[2254]: Illegal user guest from 219.117.251.250
mingus sshd[2254]: Failed password for illegal user guest from 219.117.251.250 port 44551 ssh2
mingus sshd[2256]: Illegal user admin from 219.117.251.250
mingus sshd[2256]: Failed password for illegal user admin from 219.117.251.250 port 44610 ssh2
mingus sshd[2258]: Illegal user admin from 219.117.251.250
mingus sshd[2258]: Failed password for illegal user admin from 219.117.251.250 port 44691 ssh2
mingus sshd[2260]: Illegal user user from 219.117.251.250
mingus sshd[2260]: Failed password for illegal user user from 219.117.251.250 port 44741 ssh2
mingus sshd[2262]: Failed password for root from 219.117.251.250 port 44817 ssh2
mingus sshd[2264]: Failed password for root from 219.117.251.250 port 44866 ssh2
mingus sshd[2266]: Failed password for root from 219.117.251.250 port 44918 ssh2
mingus sshd[2268]: Illegal user test from 219.117.251.250
mingus sshd[2268]: Failed password for illegal user test from 219.117.251.250 port 44997 ssh2
mingus -- MARK --
|
|
|
08-06-2004, 03:19 PM
|
#2
|
Member
Registered: Apr 2004
Location: berkeley, ca
Distribution: slk10, winxp
Posts: 313
Rep:
|
i think you can do:
Code:
traceroute <ip address>
|
|
|
08-06-2004, 03:31 PM
|
#3
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
blocking remote root access gives you an additional layer of security...
make sure you have "PermitRootLogin no" in your /etc/ssh/sshd_config
then you can let them try to login as root all they want... they'll get "permission denied" even if they actually guess your correct root password...
=)
Last edited by win32sux; 08-06-2004 at 03:34 PM.
|
|
|
08-06-2004, 05:07 PM
|
#4
|
Member
Registered: Apr 2002
Location: New York, USA
Distribution: Redhat 7.2, 9.0 Slackware 9.1
Posts: 428
Rep:
|
There has been alot of activity like this happening in the last couple of weeks I have noticed, I run the servers for my local ISP and have noticed them scanning trying to log it, it comes from a compleatly different set of ip's each day though so it doesn't help much to trace it, I think it looks like an automated exploit someone is useing trying common passwords.
I for one have blocked all port 22 incoming except to a couple of ip's in my network and then those can only come from my house and a couple of other known places people need to come in from. I haven't seen any of those login attempts since
|
|
|
08-06-2004, 08:22 PM
|
#5
|
Senior Member
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,290
|
Yeah, I've been noticing a lot of these on servers I run too. You can try to contact the ISP in question (if you go to ARIN they have a mechanism to look up who owns a particular block of IPs), but given that the attempts are probably coming from a box that has itself been cracked some time ago, you're unlikely to ever be able to track down the perpetrators.
Just so long as you don't do something stupid like have a passwordless guest account or a weak root password, these automated attacks aren't likely to do much harm.
|
|
|
08-06-2004, 11:16 PM
|
#6
|
LQ Newbie
Registered: Mar 2004
Posts: 2
Rep:
|
Sorry to sound stupid, but where does one go to set up certain IP's to have access while others don't ?
Running a bastardized RedHat 9 for HAM radio.
73,
>>VE6MSP
|
|
|
08-07-2004, 09:42 AM
|
#7
|
Senior Member
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791
Rep:
|
|
|
|
08-08-2004, 12:22 PM
|
#8
|
Member
Registered: May 2004
Location: USA
Distribution: Slackware-Current
Posts: 74
Original Poster
Rep:
|
win32sux:
I have foot login disabled in the sshd.config file, thanks tho'.
I was thinking that it looks like a script or a program too- as the login accounts are the same and often times they are tried in the same order, ie: test, admin, guest, and root. It definately looks like some sort of script to me.
a nmap of my system shows no open ports... i am curious how they found me? Do you think that the script/program searches class c's?
thanks,
plan9
|
|
|
08-08-2004, 12:52 PM
|
#9
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
by scanning for port 22...
|
|
|
All times are GMT -5. The time now is 02:01 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|