Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I need your help in resolving this issue, it is giving me alot of head ache, i need to get rid of these failure attempts, and can anybody explain
me what is reverese( which is highlighted) mapping in this following output which i took from the log,
Aug 4 03:56:40 localhost sshd[3223]: Failed password for root from 112.216.245.235 port 34158 ssh2
Aug 4 03:56:40 localhost sshd[3224]: Connection closed by 112.216.245.235
Aug 4 07:44:04 localhost sshd[4120]: Did not receive identification string from 201.116.214.67
Aug 4 07:46:59 localhost sshd[4125]: reverse mapping checking getaddrinfo for static.customer-201-116-214-67.uninet-ide.com.mx [201.116.214.67] failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 4 07:46:59 localhost unix_chkpwd[4129]: password check failed for user (root)
Aug 4 07:46:59 localhost sshd[4125]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=201.116.214.67 user=root
Aug 4 07:47:01 localhost sshd[4125]: Failed password for root from 201.116.214.67 port 59923 ssh2
Aug 4 07:47:01 localhost sshd[4126]: Connection closed by 201.116.214.67
Aug 4 13:00:07 localhost sshd[4655]: Did not receive identification string from 124.126.253.252 Aug 4 13:03:01 localhost sshd[4663]: reverse mapping checking getaddrinfo for 252.253.126.124.broad.bjtelecom.net [124.126.253.252] failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 4 13:03:01 localhost unix_chkpwd[4667]: password check failed for user (root)
Aug 4 13:03:01 localhost sshd[4663]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=124.126.253.252 user=root
Aug 4 13:03:03 localhost sshd[4663]: Failed password for root from 124.126.253.252 port 54966 ssh2
Aug 4 13:03:03 localhost sshd[4664]: Connection closed by 124.126.253.252
Aug 4 14:11:58 localhost sshd[4783]: Did not receive identification string from 58.61.149.213
Aug 4 14:16:04 localhost sshd[4790]: Address 58.61.149.213 maps to mail.d3zone.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Aug 4 14:16:04 localhost sshd[4790]: Invalid user staff from 58.61.149.213
Aug 4 14:16:04 localhost sshd[4791]: input_userauth_request: invalid user staff
Aug 4 14:16:04 localhost sshd[4790]: pam_unix(sshd:auth): check pass; user unknown
Aug 4 14:16:04 localhost sshd[4790]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.61.149.213
Aug 4 14:16:04 localhost sshd[4790]: pam_succeed_if(sshd:auth): error retrieving information about user staff
Aug 4 14:16:05 localhost sshd[4790]: Failed password for invalid user staff from 58.61.149.213 port 58958 ssh2
Aug 4 14:16:05 localhost sshd[4791]: Connection closed by 58.61.149.213
Aug 4 16:20:13 localhost sshd[5000]: Did not receive identification string from 202.63.117.115
Aug 4 16:23:59 localhost unix_chkpwd[5009]: password check failed for user (root)
Aug 4 16:23:59 localhost sshd[5007]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.63.117.115 user=root
Aug 4 16:24:01 localhost sshd[5007]: Failed password for root from 202.63.117.115 port 47528 ssh2
Aug 4 16:24:01 localhost sshd[5008]: Connection closed by 202.63.117.115
Aug 4 17:51:30 localhost sshd[5157]: Did not receive identification string from 124.124.197.18
Aug 4 17:55:30 localhost unix_chkpwd[5168]: password check failed for user (root)
Aug 4 17:55:30 localhost sshd[5164]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=124.124.197.18 user=root
Aug 4 17:55:32 localhost sshd[5164]: Failed password for root from 124.124.197.18 port 33687 ssh2
Aug 4 17:55:32 localhost sshd[5165]: Received disconnect from 124.124.197.18: 11: Bye Bye
Aug 4 17:55:39 localhost sshd[5169]: Invalid user admin from 124.124.197.18
Aug 4 17:55:39 localhost sshd[5170]: input_userauth_request: invalid user admin
Aug 4 17:55:39 localhost sshd[5169]: pam_unix(sshd:auth): check pass; user unknown
Aug 4 17:55:39 localhost sshd[5169]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=124.124.197.18
Aug 4 17:55:39 localhost sshd[5169]: pam_succeed_if(sshd:auth): error retrieving information about user admin
It simply a problem with your authentication from one system two other by using ssh. Check your user name and password that you are giving. Reverse mapping means checking of sshd authentication source to destination and vice versa.
Last edited by vap16oct1984; 08-05-2009 at 12:38 AM.
All of those are break-in attempts. They are very common. As long as you have the SSH service publicly exposed, you're going to see these, especially if you're using the default port. Switching the port to something other than port 22 will get rid of maybe 90% of the logging of such scans (but be aware that this isn't a good way to apply security in general).
There's a sticky thread on SSH brute force attempts. It is very informative. It is highly suggested reading. It will answer any questions you may have.
Basically, disallow root login via ssh. This will prevent automated break-in attempts to root.
Use another acct if you need remote access, then
su -
or
sudo su -
to get to root.
If you don't need remote access, shutdown sshd.
You can, as mentioned, move sshd to another random port if you want.
Note that an nmap scan will still show which port sshd is listening on....
Thank you verymuch for your valuable comments,
yes as you said , I have already disabled root login and all other users login to bash and have only one user through which i have made access to the server. My doubt is there any security module,for the Intrusion Prevention and Intrusion Detection available? my worry is this numerous login attempts will make my server performance degrading..
is that true that the performance of the system will decrease due to the login attempts?.. or its normal when we have the system exposed to the internet?
If at all possible you should look into only allowing ssh from trusted networks. This can be accomplished by using iptables and/or tcpwrappers. If people have to log in from dynamic or untrusted networks, it is also possible to create a web page they are required to surf to first, which would temporarily allow SSH from the source IP (using a perl script with suid for example).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.