[SOLVED] Is this a hacker??

[billmckinstry]

Mar 31 05:47:55 mailserver sshd(pam_unix)[29011]: session opened for user root by (uid=0)
Mar 31 05:50:37 mailserver su(pam_unix)[30410]: session opened for user amavis by (uid=0)
Mar 31 05:51:01 mailserver su(pam_unix)[30410]: session closed for user amavis
and
Mar 31 06:40:23 mailserver sshd(pam_unix)[7305]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.20.227.245 user=root
Mar 31 06:40:28 mailserver sshd(pam_unix)[7327]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.20.227.245 user=root
Mar 31 06:40:35 mailserver sshd(pam_unix)[7346]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.20.227.245 user=root
Mar 31 06:40:40 mailserver sshd(pam_unix)[7404]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.20.227.245 user=root
Mar 31 06:40:45 mailserver sshd(pam_unix)[7431]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.20.227.245 user=root
Mar 31 06:40:50 mailserver sshd(pam_unix)[7469]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.20.227.245 user=root
Mar 31 06:40:57 mailserver sshd(pam_unix)[7498]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.20.227.245 user=root

Are these extracts from /var/log/messages a sign of amavis gettinto the system and 218.20.227.245 attempting to get in??

[Lakshmipathi]

Yes,seems like somebody really interested in system

[Valkyrka]

Hello,

Mar 31 06:40:23 mailserver sshd(pam_unix)[7305]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.20.227.245 user=root

The lines from /var/log/messages indicate a brute-force attack. There's a ~ 100 % chance that the machine 218.20.227.245 was hacked and is simply attacking other hosts using a brute-force method ( i.e. it tries different login credentials ). If you are using complex passwords for your users then you shouldn't worry about this however, in the event of the brute-force attack becoming more intense, this could bring the machine on its knees / make it crash ( I have personally seen cases when servers crashed due to a brute-force attack ). I would advise of the following. You should change the port SSH runs on to prevent this. I would also advise you immediately block the IP and install CSF ( ConfigServer Firewall ) as this has a daemon integrated in it - LFD ( Login Failure Daemon ) which blocks attacks of such kind and even more ( pop3, ftpd etc. ). I hope this helps

Have a good one !

[billmckinstry]

Thanks, Appreciate advice. I will study over long wekend.

[Roxoff]

Other things you'll want to do while you're investigating are turn off root login through SSH, and if possible use key-based login rather than password. Use newer algorithms and long key lengths to make it more difficult to break in.

Changing the port is really easy and saves you so much hassle. It will not prevent someone attempting to break in if they want to be in your specific system, but it does prevent these bots attacking at random.

[retired1af]

I also have csf/lfd permanently ban the IP once they hit strike 3. Just have to make sure that when YOU log in, you don't flub it up.

[billmckinstry]

Yes I agree. Nothing of value here. Just checking out the log entries to understand what they mean.