LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-04-2009, 11:19 PM   #1
johnynixon
LQ Newbie
 
Registered: Jan 2008
Posts: 6
Blog Entries: 1

Rep: Reputation: 0
/var/log/secure


Hi everyone!

I need your help in resolving this issue, it is giving me alot of head ache, i need to get rid of these failure attempts, and can anybody explain
me what is reverese( which is highlighted) mapping in this following output which i took from the log,

Aug 4 03:56:40 localhost sshd[3223]: Failed password for root from 112.216.245.235 port 34158 ssh2
Aug 4 03:56:40 localhost sshd[3224]: Connection closed by 112.216.245.235
Aug 4 07:44:04 localhost sshd[4120]: Did not receive identification string from 201.116.214.67
Aug 4 07:46:59 localhost sshd[4125]: reverse mapping checking getaddrinfo for static.customer-201-116-214-67.uninet-ide.com.mx [201.116.214.67] failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 4 07:46:59 localhost unix_chkpwd[4129]: password check failed for user (root)
Aug 4 07:46:59 localhost sshd[4125]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=201.116.214.67 user=root
Aug 4 07:47:01 localhost sshd[4125]: Failed password for root from 201.116.214.67 port 59923 ssh2
Aug 4 07:47:01 localhost sshd[4126]: Connection closed by 201.116.214.67
Aug 4 13:00:07 localhost sshd[4655]: Did not receive identification string from 124.126.253.252
Aug 4 13:03:01 localhost sshd[4663]: reverse mapping checking getaddrinfo for 252.253.126.124.broad.bjtelecom.net [124.126.253.252] failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 4 13:03:01 localhost unix_chkpwd[4667]: password check failed for user (root)
Aug 4 13:03:01 localhost sshd[4663]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=124.126.253.252 user=root
Aug 4 13:03:03 localhost sshd[4663]: Failed password for root from 124.126.253.252 port 54966 ssh2
Aug 4 13:03:03 localhost sshd[4664]: Connection closed by 124.126.253.252
Aug 4 14:11:58 localhost sshd[4783]: Did not receive identification string from 58.61.149.213
Aug 4 14:16:04 localhost sshd[4790]: Address 58.61.149.213 maps to mail.d3zone.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Aug 4 14:16:04 localhost sshd[4790]: Invalid user staff from 58.61.149.213
Aug 4 14:16:04 localhost sshd[4791]: input_userauth_request: invalid user staff
Aug 4 14:16:04 localhost sshd[4790]: pam_unix(sshd:auth): check pass; user unknown
Aug 4 14:16:04 localhost sshd[4790]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.61.149.213
Aug 4 14:16:04 localhost sshd[4790]: pam_succeed_if(sshd:auth): error retrieving information about user staff
Aug 4 14:16:05 localhost sshd[4790]: Failed password for invalid user staff from 58.61.149.213 port 58958 ssh2
Aug 4 14:16:05 localhost sshd[4791]: Connection closed by 58.61.149.213
Aug 4 16:20:13 localhost sshd[5000]: Did not receive identification string from 202.63.117.115
Aug 4 16:23:59 localhost unix_chkpwd[5009]: password check failed for user (root)
Aug 4 16:23:59 localhost sshd[5007]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.63.117.115 user=root
Aug 4 16:24:01 localhost sshd[5007]: Failed password for root from 202.63.117.115 port 47528 ssh2
Aug 4 16:24:01 localhost sshd[5008]: Connection closed by 202.63.117.115
Aug 4 17:51:30 localhost sshd[5157]: Did not receive identification string from 124.124.197.18
Aug 4 17:55:30 localhost unix_chkpwd[5168]: password check failed for user (root)
Aug 4 17:55:30 localhost sshd[5164]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=124.124.197.18 user=root
Aug 4 17:55:32 localhost sshd[5164]: Failed password for root from 124.124.197.18 port 33687 ssh2
Aug 4 17:55:32 localhost sshd[5165]: Received disconnect from 124.124.197.18: 11: Bye Bye
Aug 4 17:55:39 localhost sshd[5169]: Invalid user admin from 124.124.197.18
Aug 4 17:55:39 localhost sshd[5170]: input_userauth_request: invalid user admin
Aug 4 17:55:39 localhost sshd[5169]: pam_unix(sshd:auth): check pass; user unknown
Aug 4 17:55:39 localhost sshd[5169]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=124.124.197.18
Aug 4 17:55:39 localhost sshd[5169]: pam_succeed_if(sshd:auth): error retrieving information about user admin


Thanks in advance!!

Regards
Johny
 
Old 08-04-2009, 11:58 PM   #2
vap16oct1984
Member
 
Registered: Jun 2009
Location: INDIA
Distribution: RHEL-5
Posts: 174
Blog Entries: 3

Rep: Reputation: 38
It simply a problem with your authentication from one system two other by using ssh. Check your user name and password that you are giving. Reverse mapping means checking of sshd authentication source to destination and vice versa.

Last edited by vap16oct1984; 08-05-2009 at 12:38 AM.
 
Old 08-05-2009, 12:01 AM   #3
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Blog Entries: 8

Rep: Reputation: 158Reputation: 158
All of those are break-in attempts. They are very common. As long as you have the SSH service publicly exposed, you're going to see these, especially if you're using the default port. Switching the port to something other than port 22 will get rid of maybe 90% of the logging of such scans (but be aware that this isn't a good way to apply security in general).

There's a sticky thread on SSH brute force attempts. It is very informative. It is highly suggested reading. It will answer any questions you may have.

Last edited by unixfool; 08-05-2009 at 12:04 AM.
 
Old 08-05-2009, 12:35 AM   #4
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Rocky 9.2
Posts: 18,348

Rep: Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749
http://en.wikipedia.org/wiki/Reverse_DNS_lookup

Basically, disallow root login via ssh. This will prevent automated break-in attempts to root.
Use another acct if you need remote access, then

su -

or

sudo su -

to get to root.
If you don't need remote access, shutdown sshd.
You can, as mentioned, move sshd to another random port if you want.
Note that an nmap scan will still show which port sshd is listening on....
 
Old 08-05-2009, 12:58 AM   #5
johnynixon
LQ Newbie
 
Registered: Jan 2008
Posts: 6

Original Poster
Blog Entries: 1

Rep: Reputation: 0
Dear Guys

Thank you verymuch for your valuable comments,
yes as you said , I have already disabled root login and all other users login to bash and have only one user through which i have made access to the server. My doubt is there any security module,for the Intrusion Prevention and Intrusion Detection available? my worry is this numerous login attempts will make my server performance degrading..

is that true that the performance of the system will decrease due to the login attempts?.. or its normal when we have the system exposed to the internet?


Please advice..

Regards
Johny
 
Old 08-05-2009, 01:10 AM   #6
repo
LQ 5k Club
 
Registered: May 2001
Location: Belgium
Distribution: Arch
Posts: 8,529

Rep: Reputation: 899Reputation: 899Reputation: 899Reputation: 899Reputation: 899Reputation: 899Reputation: 899
You can use iptables to block the IP after x attempts.
Code:
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK
$IPT -A SSH_CHECK -m recent --set --name SSH
$IPT -A SSH_CHECK -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP
or use fail2ban
http://www.fail2ban.org/wiki/index.php/Main_Page
It should be in your repo's
 
Old 08-06-2009, 01:31 AM   #7
settntrenz
Member
 
Registered: Aug 2009
Location: Orlando, Florida
Distribution: RHEL, Ubuntu
Posts: 49

Rep: Reputation: 19
If at all possible you should look into only allowing ssh from trusted networks. This can be accomplished by using iptables and/or tcpwrappers. If people have to log in from dynamic or untrusted networks, it is also possible to create a web page they are required to surf to first, which would temporarily allow SSH from the source IP (using a perl script with suid for example).
 
Old 08-06-2009, 02:11 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
FWIW we have had a sticky thread listing options for ages here: http://www.linuxquestions.org/questi...tempts-340366/
 
Old 08-07-2009, 05:58 AM   #9
johnynixon
LQ Newbie
 
Registered: Jan 2008
Posts: 6

Original Poster
Blog Entries: 1

Rep: Reputation: 0
Dear All,

Thank you for your valuable information,
I hope this would be helpful for many like me

regards
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Can Samhain log my entries in /var/log/secure and /var/log/mesage to a central server abefroman Linux - Software 2 04-13-2008 04:13 PM
Debian /var/log/secure nomb Linux - Security 5 11-11-2007 09:22 PM
/var/log/secure ??? MikeFoo1 Linux - Security 2 06-22-2005 03:42 AM
/var/log/secure allelopath SUSE / openSUSE 3 02-15-2005 08:56 AM
/var/log/secure dragon Linux - Security 6 12-02-2003 08:45 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:11 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration