LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-23-2019, 11:21 AM   #16
tshikose
Member
 
Registered: Apr 2010
Location: Kinshasa, Democratic Republic of Congo
Distribution: RHEL, Fedora, CentOS
Posts: 462

Rep: Reputation: 86

Hi,

Can you try to set to off the SSHD UseDNS directive?
As it seems to come from SSH, I do not see another directive related to DNS.
 
Old 05-23-2019, 02:38 PM   #17
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.6
Posts: 3,056

Rep: Reputation: 1069Reputation: 1069Reputation: 1069Reputation: 1069Reputation: 1069Reputation: 1069Reputation: 1069Reputation: 1069
Quote:
Originally Posted by newbie14 View Post
Hi,
I am not sure exactly what you asking me. But I guess this the heading you looking ? Its from sshd
Code:
--------------------- SSHD Begin ------------------------


Couldn't resolve these IPs:
179-92-111-129.user.vivozap.com.br [179.92.111.129]: 36 Time(s)
29.32.81.117.broad.sz.js.dynamic.163data.com.cn [117.81.32.29]: 1 Time(s)
broadband-37.204-127-164.ip.moscow.rt.ru [37.204.127.164]: 2 Time(s)
dedi08.customers.kvsolutions.nl [185.244.25.105]: 2 Time(s)
host-156.209.21.18-static.tedata.net [156.209.18.21]: 1 Time(s)
promote.cache-dns.local [223.111.139.203]: 4 Time(s)
promote.cache-dns.local [223.111.139.239]: 4 Time(s)
static.vnpt.vn(113.173.108.226): 1 Time(s)
That's an interesting output, given that those IPs are resolved therein...very strange.

newbie14, your recent posts about these things all show that these attempts are being blocked. You appear to have nothing to worry about at present.

For example, we block (refuse to accept connections) for around 70% of the email delivery attempts we get. Each one of those blocks results in at least 5 log file entries in at least two log files. All that activity just shows that what we're doing is working as we want it to.

Last edited by scasey; 05-23-2019 at 02:39 PM.
 
Old 05-24-2019, 10:55 PM   #18
newbie14
Member
 
Registered: Sep 2011
Posts: 595

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by tshikose View Post
Hi,

Can you try to set to off the SSHD UseDNS directive?
As it seems to come from SSH, I do not see another directive related to DNS.
Hi Tshikose,
I didnt find the anything related to dns in my sshd config file and after googling I just added this UseDNS no. I hope this is correct.
 
Old 05-24-2019, 10:56 PM   #19
newbie14
Member
 
Registered: Sep 2011
Posts: 595

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by scasey View Post
That's an interesting output, given that those IPs are resolved therein...very strange.

newbie14, your recent posts about these things all show that these attempts are being blocked. You appear to have nothing to worry about at present.

For example, we block (refuse to accept connections) for around 70% of the email delivery attempts we get. Each one of those blocks results in at least 5 log file entries in at least two log files. All that activity just shows that what we're doing is working as we want it to.
Hi Scasey,
You are its resolved therein but the logs stated not resolved? So what else can I do further to block maybe other types of attempts. Actually what are these attempts to hack or to use my server as dns server to further do other hacking ?
 
Old 05-25-2019, 12:18 AM   #20
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.6
Posts: 3,056

Rep: Reputation: 1069Reputation: 1069Reputation: 1069Reputation: 1069Reputation: 1069Reputation: 1069Reputation: 1069Reputation: 1069
As has been said...fail2ban...
 
Old 05-25-2019, 11:16 AM   #21
newbie14
Member
 
Registered: Sep 2011
Posts: 595

Original Poster
Rep: Reputation: Disabled
Hi Scasey,
Besides setting firewall and fail2ban anything. Below is what I saw today. Yes fail2ban having been doing a good job it keep banning thats why I think I just 1 Time for most but something puzzle me here. Why this root 222.186.51.173: 546 Times(s) from this one ip ?

Quote:
Maximum authentication attemps exceeded:
admin:
111.61.110.136: 1 Times(s)
root:
222.186.51.173: 546 Times(s)
111.61.110.136: 2 Times(s)
120.41.239.156: 1 Times(s)
84.166.176.74: 1 Times(s)
223.100.123.8: 1 Times(s)
Quote:
Couldn't resolve these IPs:
. [198.98.60.66]: 5 Time(s)
133668.cloudwaysapps.com [128.199.221.18]: 1 Time(s)
156.239.41.120.broad.xm.fj.dynamic.163data.com.cn [120.41.239.156]: 1 Time(s)
163-172-106-111.rev.poneytelecom.eu [163.172.106.111]: 2 Time(s)
176751.cloudwaysapps.com [206.189.86.17]: 1 Time(s)
177-069-104-142.static.ctbctelecom.com.br [177.69.104.142]: 1 Time(s)
2-232-63-74.static.reverse.lstn.net [74.63.232.2]: 1 Time(s)
41.77.146.98.liquidtelecom.net [41.77.146.98]: 1 Time(s)
84.93.153.9.plusnet.pte-ag1.dyn.plus.net [84.93.153.9]: 1 Time(s)
94-183-251-239.shatel.ir [94.183.251.239]: 1 Time(s)
closed-purtiersales.com(138.197.72.48): 1 Time(s)
promote.cache-dns.local [223.111.139.203]: 5 Time(s)
promote.cache-dns.local [223.111.139.239]: 2 Time(s)
server.fsxapp.xyz [138.68.146.186]: 1 Time(s)
static-182.18.171-148.ctrls.in [182.18.171.148]: 1 Time(s)
static-ip-cr18163255166.cable.net.co [181.63.255.166]: 1 Time(s)

Didn't receive an ident from these IPs:
103.99.2.170 port 56856: 1 Time(s)
103.99.2.170 port 57067: 1 Time(s)
103.99.2.170 port 61084: 1 Time(s)
103.99.2.170 port 62723: 1 Time(s)
106.13.54.212 port 35212: 1 Time(s)
108.178.61.58 port 32874: 1 Time(s)
108.178.61.58 port 50644: 1 Time(s)
140.143.233.10 port 59782: 1 Time(s)
167.99.38.73 port 42713: 1 Time(s)
173.236.184.106 port 43156: 1 Time(s)
174.138.2.157 port 42546: 1 Time(s)
188.166.178.121 port 46123: 1 Time(s)
192.241.253.218 port 30777: 1 Time(s)
46.101.171.175 port 42687: 1 Time(s)
81.22.45.137 port 61000: 1 Time(s)
88.208.39.121 port 57666: 1 Time(s)

Disconnecting after too many authentication failures for user:
<unknown> : 552 Time(s)

Illegal users from:
undef: 61 times
Management [preauth]: 1 time
a [preauth]: 1 time
admin [preauth]: 1 time
administrator [preauth]: 1 time
admins [preauth]: 1 time
applmgr [preauth]: 1 time
avis [preauth]: 1 time
backuppc [preauth]: 1 time
bsnl [preauth]: 1 time
butter [preauth]: 1 time
cpanel [preauth]: 1 time
cyrus [preauth]: 1 time
debian-spamd [preauth]: 1 time
dev [preauth]: 1 time
digitaluser [preauth]: 1 time
ethos [preauth]: 1 time
fake [preauth]: 1 time
ftp_test [preauth]: 1 time
ftpadmin [preauth]: 1 time
ftpuser [preauth]: 1 time
gitolite [preauth]: 1 time
gitosis [preauth]: 1 time
gpadmin [preauth]: 1 time
guest [preauth]: 1 time
hadoop [preauth]: 1 time
halts [preauth]: 1 time
jay [preauth]: 1 time
jboss [preauth]: 1 time
julia [preauth]: 1 time
list [preauth]: 1 time
manager [preauth]: 1 time
metin [preauth]: 1 time
mta [preauth]: 1 time
nagios [preauth]: 1 time
nologin [preauth]: 1 time
nvp [preauth]: 1 time
oracle [preauth]: 1 time
oracle1 [preauth]: 1 time
owner [preauth]: 1 time
postgres [preauth]: 1 time
ppldtepe [preauth]: 1 time
press [preauth]: 1 time
public [preauth]: 1 time
qhsupport [preauth]: 1 time
redisserver [preauth]: 1 time
sales [preauth]: 1 time
solaris [preauth]: 1 time
squid [preauth]: 1 time
support [preauth]: 1 time
sysadmin [preauth]: 1 time
test [preauth]: 1 time
ubnt [preauth]: 1 time
ubuntu [preauth]: 1 time
user [preauth]: 1 time
user1 [preauth]: 1 time
usuario [preauth]: 1 time
vagrant [preauth]: 1 time
webmaster [preauth]: 1 time
www [preauth]: 1 time
z [preauth]: 1 time
zabbix [preauth]: 1 time
13.127.185.242 (ec2-13-127-185-242.ap-south-1.compute.amazonaws.com): 1 time
public: 1 time
34.92.64.53 (53.64.92.34.bc.googleusercontent.com): 1 time
support: 1 time
34.207.18.218 (ec2-34-207-18-218.compute-1.amazonaws.com): 1 time
ubuntu: 1 time
35.185.206.194 (194.206.185.35.bc.googleusercontent.com): 1 time
user1: 1 time
35.200.134.115 (115.134.200.35.bc.googleusercontent.com): 1 time
test: 1 time
35.237.216.116 (116.216.237.35.bc.googleusercontent.com): 1 time
support: 1 time
37.139.13.105: 1 time
ubuntu: 1 time
37.252.185.227 (37-252-185-227.rev.ipax.at): 2 times
support: 1 time
test: 1 time
40.124.4.131: 2 times
cyrus: 1 time
nagios: 1 time
41.77.146.98 (41.77.146.98.liquidtelecom.net): 1 time
oracle: 1 time
45.55.157.147: 1 time
ftpadmin: 1 time
46.101.163.220 (server.herojus.lt): 2 times
support: 2 times
51.75.169.236 (ip-51-75-169.eu): 1 time
ftpuser: 1 time
51.255.174.215 (215.ip-51-255-174.eu): 1 time
user: 1 time
61.72.254.71: 2 times
support: 1 time
ubuntu: 1 time
65.26.240.14 (cpe-65-26-240-14.wi.res.rr.com): 1 time
nagios: 1 time
68.183.161.60: 1 time
zabbix: 1 time
74.63.193.14 (14-193-63-74.static.reverse.lstn.net): 1 time
backuppc: 1 time
74.63.232.2 (2-232-63-74.static.reverse.lstn.net): 1 time
user: 1 time
77.48.196.50: 1 time
webmaster: 1 time
84.93.153.9 (84.93.153.9.plusnet.pte-ag1.dyn.plus.net): 1 time
avis: 1 time
103.99.2.170: 20 times
Management: 4 times
admin: 4 times
guest: 4 times
manager: 4 times
support: 4 times
103.129.220.145: 1 time
admin: 1 time
104.248.87.40: 6 times
admin: 3 times
guest: 1 time
ubnt: 1 time
user: 1 time
106.13.54.212: 5 times
digitaluser: 5 times
106.51.130.196 (broadband.actcorp.in): 1 time
hadoop: 1 time
109.74.60.74 (mail.weishaupt.hu): 1 time
admin: 1 time
111.53.76.186: 5 times
admins: 1 time
butter: 1 time
halts: 1 time
nologin: 1 time
redisserver: 1 time
111.61.110.136: 1 time
admin: 1 time
111.93.205.186 (static-186.205.93.111-tataidc.co.in): 1 time
ftp_test: 1 time
113.190.125.202 (static.vnpt.vn): 1 time
admin: 1 time
114.108.177.34: 1 time
owner: 1 time
116.249.5.70: 2 times
gpadmin: 2 times
118.144.82.74: 1 time
postgres: 1 time
121.8.154.178: 1 time
jboss: 1 time
121.190.197.205: 1 time
usuario: 1 time
128.199.221.18 (133668.cloudwaysapps.com): 1 time
applmgr: 1 time
132.255.29.228 (132-255-29-228.informac.com.br): 1 time
usuario: 1 time
134.209.84.42: 5 times
admin: 2 times
fake: 1 time
ubnt: 1 time
user: 1 time
134.209.175.199: 5 times
admin: 2 times
fake: 1 time
ubnt: 1 time
user: 1 time
134.209.175.214: 5 times
admin: 2 times
fake: 1 time
ubnt: 1 time
user: 1 time
138.68.146.186 (server.fsxapp.xyz): 1 time
zabbix: 1 time
138.197.105.79: 1 time
nagios: 1 time
138.197.204.165: 1 time
test: 1 time
139.59.34.17 (pyrumas.com): 1 time
oracle: 1 time
139.59.56.121: 1 time
oracle1: 1 time
139.59.59.187: 1 time
sysadmin: 1 time
140.143.233.10: 17 times
a: 1 time
bsnl: 1 time
dev: 1 time
gitolite: 1 time
gitosis: 1 time
jay: 1 time
jboss: 1 time
julia: 1 time
metin: 1 time
mta: 1 time
nvp: 1 time
oracle: 1 time
solaris: 1 time
ubuntu: 1 time
user1: 1 time
vagrant: 1 time
z: 1 time
142.93.39.29: 1 time
admin: 1 time
142.93.157.35: 10 times
admin: 4 times
fake: 2 times
ubnt: 2 times
user: 2 times
147.135.158.125 (ip125.ip-147-135-158.eu): 1 time
applmgr: 1 time
151.80.153.174 (p2.ajeel.be): 2 times
butter: 1 time
postgres: 1 time
155.230.14.92: 1 time
test: 1 time
157.230.110.11: 2 times
postgres: 1 time
ubuntu: 1 time
157.230.225.77: 1 time
test: 1 time
159.65.136.194: 1 time
test: 1 time
159.65.144.233: 1 time
user: 1 time
159.65.151.151: 5 times
admin: 2 times
fake: 1 time
ubnt: 1 time
user: 1 time
163.172.16.65 (163-172-16-65.rev.poneytelecom.eu): 1 time
press: 1 time
165.227.46.17: 5 times
admin: 2 times
fake: 1 time
ubnt: 1 time
user: 1 time
165.227.140.123: 1 time
ubuntu: 1 time
167.99.8.158: 1 time
www: 1 time
174.101.80.233 (cpe-174-101-80-233.columbus.res.rr.com): 1 time
hadoop: 1 time
177.69.104.142 (177-069-104-142.static.ctbctelecom.com.br): 1 time
administrator: 1 time
178.62.98.15: 5 times
admin: 2 times
fake: 1 time
ubnt: 1 time
user: 1 time
178.62.127.90: 5 times
admin: 2 times
fake: 1 time
ubnt: 1 time
user: 1 time
178.128.79.169: 1 time
squid: 1 time
178.128.148.98: 1 time
list: 1 time
181.63.255.166 (static-ip-cr18163255166.cable.net.co): 1 time
ethos: 1 time
182.18.161.187 (mail.paikane.com): 1 time
jboss: 1 time
182.18.171.148 (static-182.18.171-148.ctrls.in): 1 time
sales: 1 time
183.196.214.87: 7 times
admin: 6 times
ubnt: 1 time
185.232.67.11: 7 times
admin: 7 times
188.115.44.21 (ip-188-115-44-21.dyn.luxdsl.pt.lu): 1 time
qhsupport: 1 time
193.32.163.81 (hosting-by.cloud-home.me): 2 times
admin: 2 times
193.194.91.133: 1 time
ftp_test: 1 time
194.44.111.130: 1 time
admin: 1 time
196.203.31.154: 1 time
admin: 1 time
198.98.60.66 (.): 3 times
admin: 1 time
user: 1 time
usuario: 1 time
201.248.64.58: 1 time
admin: 1 time
206.189.86.17 (176751.cloudwaysapps.com): 1 time
oracle: 1 time
206.189.88.75: 1 time
cpanel: 1 time
206.189.137.113: 1 time
admin: 1 time
209.97.187.108: 1 time
debian-spamd: 1 time
210.183.236.30: 1 time
hadoop: 1 time
221.160.100.14: 1 time
support: 1 time
222.128.11.26: 1 time
admin: 1 time
222.214.237.144: 1 time
ppldtepe: 1 time

Received disconnect:
11: [preauth]
180.101.45.31 : 3 Time(s)
222.186.57.230 : 2 Time(s)
222.187.221.173 : 2 Time(s)
222.187.221.202 : 7 Time(s)
222.187.221.222 : 6 Time(s)
222.187.221.72 : 8 Time(s)
222.187.221.84 : 7 Time(s)
222.187.225.10 : 5 Time(s)
222.187.225.9 : 9 Time(s)
222.187.232.212 : 8 Time(s)
222.187.238.32 : 4 Time(s)
222.187.254.14 : 4 Time(s)
223.111.139.203 : 7 Time(s)
223.111.139.239 : 5 Time(s)
58.241.250.152 : 6 Time(s)
58.242.83.37 : 1 Time(s)
58.242.83.38 : 1 Time(s)
61.147.247.146 : 10 Time(s)
61.147.247.18 : 3 Time(s)
61.184.247.11 : 2 Time(s)
11: Bye Bye [preauth]
104.248.87.40 : 7 Time(s)
106.13.54.212 : 14 Time(s)
111.53.76.186 : 7 Time(s)
134.209.175.199 : 6 Time(s)
134.209.175.214 : 6 Time(s)
134.209.84.42 : 6 Time(s)
140.143.233.10 : 17 Time(s)
142.93.157.35 : 12 Time(s)
159.65.151.151 : 6 Time(s)
165.227.46.17 : 6 Time(s)
178.62.127.90 : 6 Time(s)
178.62.98.15 : 6 Time(s)
183.196.214.87 : 35 Time(s)
198.98.60.66 : 5 Time(s)
11: Normal Shutdown, Thank you for playing [preauth]
103.129.220.145 : 1 Time(s)
106.51.130.196 : 1 Time(s)
111.93.205.186 : 2 Time(s)
121.190.197.205 : 1 Time(s)
121.8.154.178 : 1 Time(s)
128.199.221.18 : 2 Time(s)
13.127.185.242 : 1 Time(s)
132.148.129.180 : 1 Time(s)
132.255.29.228 : 1 Time(s)
138.197.105.79 : 2 Time(s)
138.197.204.165 : 1 Time(s)
138.197.72.48 : 1 Time(s)
138.68.146.186 : 1 Time(s)
138.68.41.255 : 1 Time(s)
139.59.34.17 : 1 Time(s)
139.59.56.121 : 1 Time(s)
139.59.59.187 : 1 Time(s)
142.4.203.130 : 1 Time(s)
142.93.39.29 : 1 Time(s)
147.135.158.125 : 1 Time(s)
151.80.153.174 : 2 Time(s)
155.230.14.92 : 1 Time(s)
157.230.110.11 : 4 Time(s)
157.230.225.77 : 1 Time(s)
159.65.136.194 : 1 Time(s)
159.65.144.233 : 1 Time(s)
159.65.7.56 : 1 Time(s)
165.227.140.123 : 1 Time(s)
165.227.49.242 : 1 Time(s)
167.99.8.158 : 1 Time(s)
174.101.80.233 : 2 Time(s)
177.69.104.142 : 1 Time(s)
178.128.148.98 : 1 Time(s)
178.128.61.16 : 2 Time(s)
178.128.79.169 : 2 Time(s)
181.63.255.166 : 1 Time(s)
182.18.161.187 : 1 Time(s)
182.18.171.148 : 2 Time(s)
185.77.243.86 : 1 Time(s)
188.115.44.21 : 2 Time(s)
192.99.56.103 : 2 Time(s)
193.194.91.133 : 1 Time(s)
196.203.31.154 : 1 Time(s)
206.189.137.113 : 1 Time(s)
206.189.86.17 : 1 Time(s)
206.189.88.75 : 1 Time(s)
209.97.187.108 : 1 Time(s)
210.183.236.30 : 1 Time(s)
221.160.100.14 : 2 Time(s)
222.128.11.26 : 2 Time(s)
34.207.18.218 : 1 Time(s)
34.92.64.53 : 1 Time(s)
35.185.206.194 : 1 Time(s)
35.200.134.115 : 1 Time(s)
35.237.216.116 : 1 Time(s)
37.139.13.105 : 1 Time(s)
37.252.185.227 : 2 Time(s)
40.124.4.131 : 2 Time(s)
41.77.146.98 : 1 Time(s)
45.55.157.147 : 1 Time(s)
46.101.163.220 : 2 Time(s)
46.101.88.10 : 1 Time(s)
49.247.203.205 : 1 Time(s)
51.255.174.215 : 1 Time(s)
51.75.169.236 : 1 Time(s)
61.72.254.71 : 2 Time(s)
65.26.240.14 : 1 Time(s)
68.183.161.60 : 1 Time(s)
74.63.193.14 : 2 Time(s)
74.63.232.2 : 1 Time(s)
77.48.196.50 : 1 Time(s)
84.93.153.9 : 1 Time(s)
89.189.154.66 : 1 Time(s)
94.183.251.239 : 1 Time(s)
98.234.14.119 : 1 Time(s)
3: com.jcraft.jsch.JSchException: Auth fail [preauth]
163.172.106.111 : 4 Time(s)

Maximum authentication attemps exceeded:
admin:
111.61.110.136: 1 Times(s)
root:
222.186.51.173: 546 Times(s)
111.61.110.136: 2 Times(s)
120.41.239.156: 1 Times(s)
84.166.176.74: 1 Times(s)
223.100.123.8: 1 Times(s)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Those Polkit/PolicyKit XML files a pain to view? Polkit Explorer now avaiable... LXer Syndicated Linux News 0 03-31-2013 03:42 PM
polkit-kde-authentication-agent-1 segfaults on Leave->Turn off computer jamesf Slackware 2 12-19-2010 01:54 PM
LXer: KDE extends Polkit support to polkit-1 LXer Syndicated Linux News 0 12-26-2009 12:00 PM
No further authentication methods available rogee Debian 9 03-15-2009 01:12 PM
SSHD: No further authentication methods. URGENT ciaoci Linux - Security 4 10-08-2005 11:31 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:09 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration