Should I Be Worried !

[Bubo]

Hi All

I have picked up the following entries in /var/log/messages

Code:

Jul 28 21:31:51 slackbox sshd[25489]: Invalid user test from 212.248.53.160
Jul 28 21:31:51 slackbox sshd[25489]: Failed password for invalid user test from 212.248.53.160 port 33234 ssh2
Jul 28 21:31:52 slackbox sshd[25492]: Invalid user guest from 212.248.53.160
Jul 28 21:31:52 slackbox sshd[25492]: Failed password for invalid user guest from 212.248.53.160 port 33271 ssh2
Jul 28 21:31:53 slackbox sshd[25495]: Invalid user admin from 212.248.53.160
Jul 28 21:31:53 slackbox sshd[25495]: Failed password for invalid user admin from 212.248.53.160 port 33312 ssh2
Jul 28 21:31:54 slackbox sshd[25498]: Invalid user admin from 212.248.53.160
Jul 28 21:31:54 slackbox sshd[25498]: Failed password for invalid user admin from 212.248.53.160 port 33347 ssh2
Jul 28 21:31:54 slackbox sshd[25501]: Invalid user user from 212.248.53.160
Jul 28 21:31:54 slackbox sshd[25501]: Failed password for invalid user user from 212.248.53.160 port 33380 ssh2
Jul 28 21:31:55 slackbox sshd[25504]: Failed password for root from 212.248.53.160 port 33419 ssh2
Jul 28 21:31:56 slackbox sshd[25507]: Failed password for root from 212.248.53.160 port 33450 ssh2
Jul 28 21:31:57 slackbox sshd[25510]: Failed password for root from 212.248.53.160 port 33477 ssh2
Jul 28 21:31:57 slackbox sshd[25513]: Invalid user test from 212.248.53.160
Jul 28 21:31:57 slackbox sshd[25513]: Failed password for invalid user test from 212.248.53.160 port 33511 ssh2

It is obviously an attempt to get into my box, which I don't think succeeded. But how can I tell for sure ?

I have checked

Code:

/etc/passwd

and nothing seems amiss, although I am not really sure what I am looking for ! I have posted it below for info:

Code:

:~$ cat /etc/passwd
root:x:0:0::/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/log:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/:
news:x:9:13:news:/usr/lib/news:
uucp:x:10:14:uucp:/var/spool/uucppublic:
operator:x:11:0:operator:/root:/bin/bash
games:x:12:100:games:/usr/games:
ftp:x:14:50::/home/ftp:
smmsp:x:25:25:smmsp:/var/spool/clientmqueue:
mysql:x:27:27:MySQL:/var/lib/mysql:/bin/bash
rpc:x:32:32:RPC portmap user:/:/bin/false
sshd:x:33:33:sshd:/:
gdm:x:42:42:GDM:/var/state/gdm:/bin/bash
pop:x:90:90:POP:/:
nobody:x:99:99:nobody:/:

I have run both chkrootkit and rkhunter and both report no errors or problems.

I have installed "webmin" and beefed up ssh security by blocking root logins and allowing only ssh2 connections.

Is there anywhere else I should be looking for trouble, or anything I should do to block this sort activity out please ?

The IP mentioned in the logs eminates from Moscow. I don't know much more than that at the moment.

The box in question is running Slack 10.1 on a 2.4.29 kernel with Win XP dual booting on a seperate drive. It is just a home box that I am using to learn linux. It has Apache, MYSQL etc running on "localhost" but as far as I know they do not face the internet. The only other servers that I think are running would be sendmail (?), although I am unsure how to check what is running and what is not. I use a modem router which acts for DHCP, NAT and firewall.

Any advice appreciated. If you need any more info then let me know.

Regards

Bubo

[alain_]

if you have strong passwords, there is not much chance they get in.

just make sure you don't allow root logins through ssh.
Debian has a nice piece about ssh security:
http://www.debian.org/doc/manuals/se...s.en.html#s5.1

[bigtomrodney]

I get a lot of brute force ssh attempts. Damn script kiddies. They never get through. If you don't use ssh yourself I would either disable the daemon or tell your router not to forward port 22 - which is a little bit safer.

[Bubo]

Thanks for the replies.

I do use ssh to access my home box from work, but not vice versa.

If everyone seems happy that the potential intruder has not actually got in, I will just beef up my passwords a bit and keep an eye on the situation. I have been trying to set up passphrases using ssh-keygen but am having trouble copying the keys from the work box to the home box, if anyone can give me some advice on that process.

I will do a bit more reading on the subject. Would it be right to assume that the passphrases and keys route will be more secure that username and password logins.

Regards

Bubo

[anomie]

It looks like they are not successful, but you don't know that positively. I think it's a pretty safe bet, though, based on what you see and don't see.

Does slackware use xinetd or inetd as its super server? Either way, I would suggest restricting access to a range of IPs using xinetd's mechanism or tcp wrappers. Block the guy so he doesn't get a logon prompt at all.

[twhiting9275]

You're going to get these warnings, no matter what. People are just stupid and will try anything. This is why strong passwords should be required, and non guessable usernames are just as good.

[Monkeh]

Those are entirely normal, the moment I set up my server my logs got flooded with them. People will try common passwords on your system, but if you just use a random pass there's pretty much zero chance of them getting in. Only trouble is it can slow your box down, I've had bad slowdowns on my (admittedly crap) server, due to 30+ SSH login attempts a second, from a single IP. iptables is useful..

[anomie]

If the OP ever reads this thread again, I still would suggest restricting access via tcp wrappers. Strong passwords are fine, but why give them the chance to log in at all?

[StrungOut2326]

Another form of protection is to block out port 22 and use something beyond port 4000. You can create this configuration in /etc/ssh/sshd_conf file and restart sshd.

Remember to utilize this port upon logging in. To 100% secure this server from attacks like this is to null root access from the outside. Create a user and sudo to root IF you have to do anything requiring root access.