LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   webserver security (https://www.linuxquestions.org/questions/linux-security-4/webserver-security-593012/)

xviddivxoggmp3 10-19-2007 09:23 AM
webserver security
 
I just looked through some weblogs today and saw the following.
Quote:
userhelper[12611]: pam_timestamp: updated timestamp file `/var/run/sudo/root/unknown'
userhelper[12612]: running '/usr/sbin/up2date --uuid fb032ff6-b2eb-11db-84fd-a546add58b71 --register' with root privileges on
behalf of 'root'
This doesn't look good.
Did someone log on and acquire root privleges?

and what is this?
Quote:
Failed to bind:
0.0.0.0 port 22 (Address already in use) : 2 Time(s)
did someone hack me or am i just paranoid?
please security guru help me.

acid_kewpie 10-19-2007 10:04 AM
that's not a log from a web server, it's just someone locally updating the system with up2date... you? i assume that could originate to a little system tray icon telling you you had system updates to apply, and so you told it to apply them?

the other one is someone trying to start ssh when it's already running, no reason to think there's anything malicious about that... dumb maybe but not malicious. :)

xviddivxoggmp3 10-19-2007 06:33 PM
This looks like someone is trying to break in.

Quote:
Failed password for invalid user staff from ::ffff:200.11.75.91 port 55450 ssh2
Invalid user sales from ::ffff:200.11.75.91
Failed password for invalid user sales from ::ffff:200.11.75.91 port 55596 ssh2
Invalid user recruit from ::ffff:200.11.75.91
Failed password for invalid user recruit from ::ffff:200.11.75.91 port 55745 ssh2
Invalid user alias from ::ffff:200.11.75.91
Failed password for invalid user alias from ::ffff:200.11.75.91 port 55889 ssh2
Invalid user office from ::ffff:200.11.75.91
Failed password for invalid user office from ::ffff:200.11.75.91 port 56035 ssh2
Invalid user samba from ::ffff:200.11.75.91
Failed password for invalid user samba from ::ffff:200.11.75.91 port 56175 ssh2
Invalid user tomcat from ::ffff:200.11.75.91
Failed password for invalid user tomcat from ::ffff:200.11.75.91 port 56317 ssh2
Invalid user webadmin from ::ffff:200.11.75.91
Failed password for invalid user webadmin from ::ffff:200.11.75.91 port 56459 ssh2
Invalid user spam from ::ffff:200.11.75.91
Quote:
Authentication Failures:
unknown (prometeo.quilaco.cl): 43 Time(s)
unknown (ebci.ucr.ac.cr): 26 Time(s)
root (prometeo.quilaco.cl): 8 Time(s)

Invalid Users:
Unknown Account: 70 Time(s)
How do I stop this???

win32sux 10-19-2007 07:15 PM
You could start by reading the "Failed SSH login attempts" sticky at the top of the forum.

Then install something like Fail2Ban.


All times are GMT -5. The time now is 04:30 PM.