LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   /var/log/secure (https://www.linuxquestions.org/questions/linux-security-4/var-log-secure-745181/)

johnynixon 08-04-2009 11:19 PM
/var/log/secure
 
Hi everyone!

I need your help in resolving this issue, it is giving me alot of head ache, i need to get rid of these failure attempts, and can anybody explain
me what is reverese( which is highlighted) mapping in this following output which i took from the log,

Aug 4 03:56:40 localhost sshd[3223]: Failed password for root from 112.216.245.235 port 34158 ssh2
Aug 4 03:56:40 localhost sshd[3224]: Connection closed by 112.216.245.235
Aug 4 07:44:04 localhost sshd[4120]: Did not receive identification string from 201.116.214.67
Aug 4 07:46:59 localhost sshd[4125]: reverse mapping checking getaddrinfo for static.customer-201-116-214-67.uninet-ide.com.mx [201.116.214.67] failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 4 07:46:59 localhost unix_chkpwd[4129]: password check failed for user (root)
Aug 4 07:46:59 localhost sshd[4125]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=201.116.214.67 user=root
Aug 4 07:47:01 localhost sshd[4125]: Failed password for root from 201.116.214.67 port 59923 ssh2
Aug 4 07:47:01 localhost sshd[4126]: Connection closed by 201.116.214.67
Aug 4 13:00:07 localhost sshd[4655]: Did not receive identification string from 124.126.253.252
Aug 4 13:03:01 localhost sshd[4663]: reverse mapping checking getaddrinfo for 252.253.126.124.broad.bjtelecom.net [124.126.253.252] failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 4 13:03:01 localhost unix_chkpwd[4667]: password check failed for user (root)
Aug 4 13:03:01 localhost sshd[4663]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=124.126.253.252 user=root
Aug 4 13:03:03 localhost sshd[4663]: Failed password for root from 124.126.253.252 port 54966 ssh2
Aug 4 13:03:03 localhost sshd[4664]: Connection closed by 124.126.253.252
Aug 4 14:11:58 localhost sshd[4783]: Did not receive identification string from 58.61.149.213
Aug 4 14:16:04 localhost sshd[4790]: Address 58.61.149.213 maps to mail.d3zone.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Aug 4 14:16:04 localhost sshd[4790]: Invalid user staff from 58.61.149.213
Aug 4 14:16:04 localhost sshd[4791]: input_userauth_request: invalid user staff
Aug 4 14:16:04 localhost sshd[4790]: pam_unix(sshd:auth): check pass; user unknown
Aug 4 14:16:04 localhost sshd[4790]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.61.149.213
Aug 4 14:16:04 localhost sshd[4790]: pam_succeed_if(sshd:auth): error retrieving information about user staff
Aug 4 14:16:05 localhost sshd[4790]: Failed password for invalid user staff from 58.61.149.213 port 58958 ssh2
Aug 4 14:16:05 localhost sshd[4791]: Connection closed by 58.61.149.213
Aug 4 16:20:13 localhost sshd[5000]: Did not receive identification string from 202.63.117.115
Aug 4 16:23:59 localhost unix_chkpwd[5009]: password check failed for user (root)
Aug 4 16:23:59 localhost sshd[5007]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.63.117.115 user=root
Aug 4 16:24:01 localhost sshd[5007]: Failed password for root from 202.63.117.115 port 47528 ssh2
Aug 4 16:24:01 localhost sshd[5008]: Connection closed by 202.63.117.115
Aug 4 17:51:30 localhost sshd[5157]: Did not receive identification string from 124.124.197.18
Aug 4 17:55:30 localhost unix_chkpwd[5168]: password check failed for user (root)
Aug 4 17:55:30 localhost sshd[5164]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=124.124.197.18 user=root
Aug 4 17:55:32 localhost sshd[5164]: Failed password for root from 124.124.197.18 port 33687 ssh2
Aug 4 17:55:32 localhost sshd[5165]: Received disconnect from 124.124.197.18: 11: Bye Bye
Aug 4 17:55:39 localhost sshd[5169]: Invalid user admin from 124.124.197.18
Aug 4 17:55:39 localhost sshd[5170]: input_userauth_request: invalid user admin
Aug 4 17:55:39 localhost sshd[5169]: pam_unix(sshd:auth): check pass; user unknown
Aug 4 17:55:39 localhost sshd[5169]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=124.124.197.18
Aug 4 17:55:39 localhost sshd[5169]: pam_succeed_if(sshd:auth): error retrieving information about user admin


Thanks in advance!!

Regards
Johny

vap16oct1984 08-04-2009 11:58 PM
It simply a problem with your authentication from one system two other by using ssh. Check your user name and password that you are giving. Reverse mapping means checking of sshd authentication source to destination and vice versa.

unixfool 08-05-2009 12:01 AM
All of those are break-in attempts. They are very common. As long as you have the SSH service publicly exposed, you're going to see these, especially if you're using the default port. Switching the port to something other than port 22 will get rid of maybe 90% of the logging of such scans (but be aware that this isn't a good way to apply security in general).

There's a sticky thread on SSH brute force attempts. It is very informative. It is highly suggested reading. It will answer any questions you may have.

chrism01 08-05-2009 12:35 AM
http://en.wikipedia.org/wiki/Reverse_DNS_lookup

Basically, disallow root login via ssh. This will prevent automated break-in attempts to root.
Use another acct if you need remote access, then

su -

or

sudo su -

to get to root.
If you don't need remote access, shutdown sshd.
You can, as mentioned, move sshd to another random port if you want.
Note that an nmap scan will still show which port sshd is listening on....

johnynixon 08-05-2009 12:58 AM
Dear Guys

Thank you verymuch for your valuable comments,
yes as you said , I have already disabled root login and all other users login to bash and have only one user through which i have made access to the server. My doubt is there any security module,for the Intrusion Prevention and Intrusion Detection available? my worry is this numerous login attempts will make my server performance degrading..

is that true that the performance of the system will decrease due to the login attempts?.. or its normal when we have the system exposed to the internet?


Please advice..

Regards
Johny

repo 08-05-2009 01:10 AM
You can use iptables to block the IP after x attempts.
Code:
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK
$IPT -A SSH_CHECK -m recent --set --name SSH
$IPT -A SSH_CHECK -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP
or use fail2ban
http://www.fail2ban.org/wiki/index.php/Main_Page
It should be in your repo's

settntrenz 08-06-2009 01:31 AM
If at all possible you should look into only allowing ssh from trusted networks. This can be accomplished by using iptables and/or tcpwrappers. If people have to log in from dynamic or untrusted networks, it is also possible to create a web page they are required to surf to first, which would temporarily allow SSH from the source IP (using a perl script with suid for example).

unSpawn 08-06-2009 02:11 AM
FWIW we have had a sticky thread listing options for ages here: http://www.linuxquestions.org/questi...tempts-340366/

johnynixon 08-07-2009 05:58 AM
Dear All,

Thank you for your valuable information,
I hope this would be helpful for many like me

regards


All times are GMT -5. The time now is 09:22 AM.