SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
while reviewing my message log, i've come across somebody trying to guess my pwd's. Not a big deal, but there are a lot of lines where this guy was able to leave a msg in my log. Obvisoulsy its his tag.
Does anyone know how this is achieved, or better yet, how is it stopped. He could probably start a pretty nasty DOS on my message log. See below:
Code:
Dec 12 08:21:15 slack sshd[8177]: Failed password for root from 71.56.31.70 port 50741 ssh2
Dec 12 08:21:18 slack sshd[8179]: Failed password for root from 71.56.31.70 port 52699 ssh2
Dec 12 08:21:20 slack sshd[8181]: Failed password for root from 71.56.31.70 port 55174 ssh2
Dec 12 08:21:24 slack sshd[8183]: Failed password for root from 71.56.31.70 port 57112 ssh2
Dec 12 08:21:28 slack sshd[8185]: Invalid user spam from 71.56.31.70
Dec 12 08:21:28 slack sshd[8185]: Failed password for invalid user spam from 71.56.31.70 port 59385 ssh2
Dec 12 08:21:32 slack sshd[8187]: Invalid user ventas from 71.56.31.70
Dec 12 08:21:32 slack sshd[8187]: Failed password for invalid user ventas from 71.56.31.70 port 34000 ssh2
Dec 12 08:21:35 slack sshd[8189]: Invalid user paul from 71.56.31.70
Dec 12 08:21:35 slack sshd[8189]: Failed password for invalid user paul from 71.56.31.70 port 36558 ssh2
Dec 12 08:21:39 slack sshd[8191]: Invalid user andres from 71.56.31.70
Dec 12 08:21:39 slack sshd[8191]: Failed password for invalid user andres from 71.56.31.70 port 38534 ssh2
Dec 12 08:43:59 slack -- MARK --
Dec 12 09:03:59 slack -- MARK --
Dec 12 09:23:59 slack -- MARK --
Dec 12 09:43:59 slack -- MARK --
Dec 12 10:03:59 slack -- MARK --
Dec 12 10:24:00 slack -- MARK --
Dec 12 10:44:00 slack -- MARK --
Dec 12 11:04:00 slack -- MARK --
Dec 12 11:24:00 slack -- MARK --
Dec 12 11:44:00 slack -- MARK --
Dec 12 12:04:00 slack -- MARK --
and yes, i've left his ip address in there, he deserves no privacy
I believe it's accomplished via some kind of widely available script(s), hence hearing the name 'script kiddies', where they scan ranges of ips for open ports. But I really don't know how it's done. I had this happen when I setup my first slack system (before I got a NAT router and more than 1 machine setup) and all I did to stop it was to block those ports and stop the services that I didn't need running. If you don't need ssh running you can disable that among others, or set it up to only allow certain hosts to connect, etc. The router, for me, is much simpler than setting up a firewall and I only have to open those ports up that I absolutely must via forwarding.
As far as the ip logged I'm not really certain how reliable that is, as there might be ways to mask their true ip address.
Sorry I'm not more learned on this subject but I believe it's fairly common and some googling might turn up more informative answers.
As far as the ip logged I'm not really certain how reliable that is, as there might be ways to mask their true ip address.
Maybe he was using a proxy, but usually they use lots.
I checked the ip on http://samspade.org/ whois and seems Country: US OrgName: Comcast, OrgAbuseEmail: abuse@comcast.net but i'm also unfamiliar with this things heh
ok, im a little more worried now. i've shutdown ssh and the msg's are still appearing. anyone have any idea what generates them?
Code:
Dec 12 16:44:00 slack -- MARK --
Dec 12 16:58:03 slack sshd[2133]: Received signal 15; terminating.
Dec 12 17:24:00 slack -- MARK --
Dec 12 17:44:01 slack -- MARK --
Dec 12 18:04:01 slack -- MARK --
oh, and i have to be root to view the log (and i've never heard of messages being replaced if your not root):
About the login attempts, there's not much you can do about except changing the sshd port.
You may have done this already, but you could also disable root logins via ssh (which I think is generally recommended for this very reason). This may not stop the login attempts and the messages in your logs, but it'll stop them from logging in via ssh even if they do get your password
ok, im a little more worried now. i've shutdown ssh and the msg's are still appearing. anyone have any idea what generates them?
Code:
Dec 12 16:44:00 slack -- MARK --
Dec 12 16:58:03 slack sshd[2133]: Received signal 15; terminating.
Dec 12 17:24:00 slack -- MARK --
Dec 12 17:44:01 slack -- MARK --
Dec 12 18:04:01 slack -- MARK --
oh, and i have to be root to view the log (and i've never heard of messages being replaced if your not root):
If you want to shutdown the service then do so. But, the security of your system is very dependent on the services that you have open to the internet. Your firewall should be setup to accomplish the security.
I would register a complaint with comcast!
'c-71-56-31-70.hsd1.ga.comcast.net' is the person(s) that are trying to get in. You can reverse lookup via this dns site. Then register the complaint abuse@comcast.net.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.