LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 06-17-2008, 12:00 PM   #1
twlilinux
Member
 
Registered: Jan 2006
Distribution: debian
Posts: 63

Rep: Reputation: 15
/var/log/auth.log


hi, I'm getting my hands wet on the ins and outs of linux server. I just read the /var/log/auth.log and I got a few lines of these messages:

Jun 17 01:49:43 #my_servername dropbear[2659]: Child connection from ::ffff:#IP_ADDRESS:48168
Jun 17 01:49:47 #my_servername dropbear[2659]: exit before auth: Failed to get remote version

Please help me interpret this- are folks trying to connect to my server?

-------
My favorite websites:
Buy and sell class notes, old exams, papers, lab reports, admission essays.
Ask and answer Linux questions.
Read free books without walking to the library.

Last edited by twlilinux; 08-15-2008 at 04:37 PM.
 
Old 06-17-2008, 12:03 PM   #2
twlilinux
Member
 
Registered: Jan 2006
Distribution: debian
Posts: 63

Original Poster
Rep: Reputation: 15
I got line after line of this also...

Jun 16 10:06:07 #myservername dropbear[2557]: login attempt for nonexistent user from ::ffff:#ip_address:41268
Jun 16 10:06:07 #myservername dropbear[2557]: exit before auth: Disconnect received

-------
My favorite websites:
Buy and sell class notes, old exams, papers, lab reports, admission essays.
Ask and answer Linux questions.
Read free books without walking to the library.

Last edited by twlilinux; 08-15-2008 at 04:37 PM.
 
Old 06-17-2008, 01:11 PM   #3
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Just curious - why are you using dropbear instead of the regular openssh server? What distro / version of GNU/Linux is this?
 
Old 06-17-2008, 03:47 PM   #4
twlilinux
Member
 
Registered: Jan 2006
Distribution: debian
Posts: 63

Original Poster
Rep: Reputation: 15
This is very embarrassing, but I don't know the command to check for my linux version

-------
My favorite websites:
Buy and sell class notes, old exams, papers, lab reports, admission essays.
Ask and answer Linux questions.
Read free books without walking to the library.

Last edited by twlilinux; 08-15-2008 at 04:37 PM.
 
Old 06-17-2008, 04:13 PM   #5
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Probably:
# cat /etc/issue

and:
# uname -a

Did you inherit a server / device?
 
Old 06-17-2008, 04:30 PM   #6
twlilinux
Member
 
Registered: Jan 2006
Distribution: debian
Posts: 63

Original Poster
Rep: Reputation: 15
Debian GNU/Linux 4.0 \n \l
Linux name 2.6.18-6-686 #1 SMP Sun Feb 10 22:11:31 UTC 2008 i686 GNU/Linux

I rented a pentium4 server from esecuredata.com. They installed everything for me. Any ideas?

-------
My favorite websites:
Buy and sell class notes, old exams, papers, lab reports, admission essays.
Ask and answer Linux questions.
Read free books without walking to the library.

Last edited by twlilinux; 08-15-2008 at 04:37 PM.
 
Old 06-17-2008, 05:22 PM   #7
jomen
Senior Member
 
Registered: May 2004
Location: Leipzig/Germany
Distribution: Arch
Posts: 1,687

Rep: Reputation: 55
Quote:
are folks trying to connect to my server?
Yes!

The rest is just a guess - based on what I have seen on my router (running OpenWRT) - it has the dropbear installed as the ssh-server.

I have seen this
Quote:
exit before auth: Disconnect received
when I wanted to use sftp for file-transfer to that device.
For sftp the router needs an sftp-server package installed - if it is not installed, ssh will work while sftp will not - and the attempt will fail with a message like the above.

Someone is trying to connect to you with varying usernames.
If it is just a scan or an honest attempt to get in - I don't know.
Since ssh is open - there is not much you can do about it.
Use a secure password...and maybe some iptables-rules to limit the number of allowed attempts to connect to a small value per minute/hour - to make a scan more time consuming and prevent DOS.

Last edited by jomen; 06-17-2008 at 05:24 PM.
 
Old 06-17-2008, 05:30 PM   #8
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by twlilinux
They installed everything for me. Any ideas?
You can upgrade (?) to a managed support contract, or get to reading. I'd recommend starting with books on Linux for beginners. Depending on what your budget is like, I can also suggest some good professional training classes.

The short answer is you're going to need to lock down sshd further.
 
Old 06-17-2008, 07:00 PM   #9
twlilinux
Member
 
Registered: Jan 2006
Distribution: debian
Posts: 63

Original Poster
Rep: Reputation: 15
I'm just curious, do you prefer openssh to dropbear? if so why?

My log file is now filled up with login attempts from this ip address. Sigh... one login attempt every minute. Well, who ever is trying to get in, I hope they leave me a note on how to fix any vulnerabilities in my server

In the mean time, I think I'm better off reading articles on the host.deny file. Any advice would be greatly appreciated

-------
My favorite websites:
Buy and sell class notes, old exams, papers, lab reports, admission essays.
Ask and answer Linux questions.
Read free books without walking to the library.

Last edited by twlilinux; 08-15-2008 at 04:37 PM.
 
Old 06-17-2008, 07:25 PM   #10
twlilinux
Member
 
Registered: Jan 2006
Distribution: debian
Posts: 63

Original Poster
Rep: Reputation: 15
Ok. here comes another newbie question. I have configured the hosts.allow to be the first 2 numbers of my ip

ALL: ##.###.

The hosts.deny is

ALL: ALL

for this to take effect, I know I need to restart some services. inetd, right? so I typed /etc/init.d/inetd restart

... nothing happened. Anyone know how to make the hosts.allow/hosts.deny file take effect?

-------
My favorite websites:
Buy and sell class notes, old exams, papers, lab reports, admission essays.
Ask and answer Linux questions.
Read free books without walking to the library.

Last edited by twlilinux; 08-15-2008 at 04:38 PM.
 
Old 06-17-2008, 07:35 PM   #11
jomen
Senior Member
 
Registered: May 2004
Location: Leipzig/Germany
Distribution: Arch
Posts: 1,687

Rep: Reputation: 55
reason:
OpenWRT... the device is a wireless home-router Siemens SE505 with 4 MB Flash and 16 MB RAM
dropbear is small enough to fit in there along with a whole lot other programs making this device an acces-point and internet-gateway in a mesh-network consisting of around 500 such nodes - making it the probably largest mesh-network in Germany...
http://leipzig.freifunk.net/ - the wiki might be the most interesting - but as most everything else is in german...
so: I actually don't prefer it - it is just the appropriate thing fot that kind of device - functionality is equal.

iptables -I INPUT -s xxx.xxx.xxx.xxx/xx -j DROP should do but will keep you busy when they come from elsewhere - as well as it might lock out legitimate users.

host.allow/deny are good if you know from where users (or just you) will connect.
[edit]
AFAIK they need to be complete IP-adresses - maybe using a netmask is possible
restarting dropbear and (x)inetd should do
 
Old 06-17-2008, 07:44 PM   #12
twlilinux
Member
 
Registered: Jan 2006
Distribution: debian
Posts: 63

Original Poster
Rep: Reputation: 15
ty for the fast reply. you have no idea how frantic I am right now. I absolutely had no idea that my server would be under attack- I don't even have a name server yet! what's more the hosts.deny is not taking effect. my var/log/auth.log is still going like crazy. I just hope I can solve this problem before they fill up my hard drive with login attempts! help!

-------
My favorite websites:
Buy and sell class notes, old exams, papers, lab reports, admission essays.
Ask and answer Linux questions.
Read free books without walking to the library.

Last edited by twlilinux; 08-15-2008 at 04:38 PM.
 
Old 06-18-2008, 04:06 AM   #13
jomen
Senior Member
 
Registered: May 2004
Location: Leipzig/Germany
Distribution: Arch
Posts: 1,687

Rep: Reputation: 55
I would not be too worried - but I would implement some things as mentioned in the links attached.

The first one has it all - the other two are basically explaining the same.

-have secure passwords
-deny root logins
-time-lock the sshd
-maybe blacklist offenders

http://www.linux.com/articles/61061
http://www.fduran.com/blog/defending...force-attacks/
http://ubuntuforums.org/showthread.php?t=796774
 
Old 06-19-2008, 08:21 AM   #14
twlilinux
Member
 
Registered: Jan 2006
Distribution: debian
Posts: 63

Original Poster
Rep: Reputation: 15
Just want to drop a thank you note for problem solved

-------
My favorite websites:
Buy and sell class notes, old exams, papers, lab reports, admission essays.
Ask and answer Linux questions.
Read free books without walking to the library.

Last edited by twlilinux; 08-15-2008 at 04:38 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
FX5600 Geforce - FC9 - black screen, no (EE) errors in /var/log/Xorg.0.log?? boyd98 Linux - Hardware 1 06-17-2008 09:56 PM
Can Samhain log my entries in /var/log/secure and /var/log/mesage to a central server abefroman Linux - Software 2 04-13-2008 05:13 PM
suspicious entry in /var/log/auth.log buehler Linux - Security 5 04-27-2005 06:11 PM
/var/log/auth.log entries buehler Linux - Security 1 04-23-2005 05:45 PM
weird stuff in /var/log/auth.log bschiett Linux - Security 3 03-12-2005 09:29 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 09:41 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration