Find the answer to your Linux question:
Results 1 to 9 of 9
Hi All I have picked up the following entries in /var/log/messages Code: Jul 28 21:31:51 slackbox sshd[25489]: Invalid user test from 212.248.53.160 Jul 28 21:31:51 slackbox sshd[25489]: Failed password for ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Newbie
    Join Date
    Aug 2004
    Location
    Malvern, UK
    Posts
    132

    Should I Be Worried !


    Hi All

    I have picked up the following entries in /var/log/messages

    Code:
    Jul 28 21:31:51 slackbox sshd[25489]: Invalid user test from 212.248.53.160
    Jul 28 21:31:51 slackbox sshd[25489]: Failed password for invalid user test from 212.248.53.160 port 33234 ssh2
    Jul 28 21:31:52 slackbox sshd[25492]: Invalid user guest from 212.248.53.160
    Jul 28 21:31:52 slackbox sshd[25492]: Failed password for invalid user guest from 212.248.53.160 port 33271 ssh2
    Jul 28 21:31:53 slackbox sshd[25495]: Invalid user admin from 212.248.53.160
    Jul 28 21:31:53 slackbox sshd[25495]: Failed password for invalid user admin from 212.248.53.160 port 33312 ssh2
    Jul 28 21:31:54 slackbox sshd[25498]: Invalid user admin from 212.248.53.160
    Jul 28 21:31:54 slackbox sshd[25498]: Failed password for invalid user admin from 212.248.53.160 port 33347 ssh2
    Jul 28 21:31:54 slackbox sshd[25501]: Invalid user user from 212.248.53.160
    Jul 28 21:31:54 slackbox sshd[25501]: Failed password for invalid user user from 212.248.53.160 port 33380 ssh2
    Jul 28 21:31:55 slackbox sshd[25504]: Failed password for root from 212.248.53.160 port 33419 ssh2
    Jul 28 21:31:56 slackbox sshd[25507]: Failed password for root from 212.248.53.160 port 33450 ssh2
    Jul 28 21:31:57 slackbox sshd[25510]: Failed password for root from 212.248.53.160 port 33477 ssh2
    Jul 28 21:31:57 slackbox sshd[25513]: Invalid user test from 212.248.53.160
    Jul 28 21:31:57 slackbox sshd[25513]: Failed password for invalid user test from 212.248.53.160 port 33511 ssh2
    It is obviously an attempt to get into my box, which I don't think succeeded. But how can I tell for sure ?

    I have checked

    Code:
    /etc/passwd
    and nothing seems amiss, although I am not really sure what I am looking for ! I have posted it below for info:

    Code:
    :~$ cat /etc/passwd
    root:x:0:0::/root:/bin/bash
    bin:x:1:1:bin:/bin:
    daemon:x:2:2:daemon:/sbin:
    adm:x:3:4:adm:/var/log:
    lp:x:4:7:lp:/var/spool/lpd:
    sync:x:5:0:sync:/sbin:/bin/sync
    shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
    halt:x:7:0:halt:/sbin:/sbin/halt
    mail:x:8:12:mail:/:
    news:x:9:13:news:/usr/lib/news:
    uucp:x:10:14:uucp:/var/spool/uucppublic:
    operator:x:11:0:operator:/root:/bin/bash
    games:x:12:100:games:/usr/games:
    ftp:x:14:50::/home/ftp:
    smmsp:x:25:25:smmsp:/var/spool/clientmqueue:
    mysql:x:27:27:MySQL:/var/lib/mysql:/bin/bash
    rpc:x:32:32:RPC portmap user:/:/bin/false
    sshd:x:33:33:sshd:/:
    gdm:x:42:42:GDM:/var/state/gdm:/bin/bash
    pop:x:90:90:POP:/:
    nobody:x:99:99:nobody:/:
    I have run both chkrootkit and rkhunter and both report no errors or problems.

    I have installed "webmin" and beefed up ssh security by blocking root logins and allowing only ssh2 connections.

    Is there anywhere else I should be looking for trouble, or anything I should do to block this sort activity out please ?

    The IP mentioned in the logs eminates from Moscow. I don't know much more than that at the moment.

    The box in question is running Slack 10.1 on a 2.4.29 kernel with Win XP dual booting on a seperate drive. It is just a home box that I am using to learn linux. It has Apache, MYSQL etc running on "localhost" but as far as I know they do not face the internet. The only other servers that I think are running would be sendmail (?), although I am unsure how to check what is running and what is not. I use a modem router which acts for DHCP, NAT and firewall.

    Any advice appreciated. If you need any more info then let me know.

    Regards

    Bubo
    My Computer Once Beat Me at Chess, but it is No Match for Me at Kickboxing !

    Registered Linux User: #417183

  2. #2
    Linux Newbie
    Join Date
    Jul 2005
    Location
    ~/home
    Posts
    105
    if you have strong passwords, there is not much chance they get in.

    just make sure you don't allow root logins through ssh.
    Debian has a nice piece about ssh security:
    http://www.debian.org/doc/manuals/se...s.en.html#s5.1
    Help me getting a Opera licence
    Beginning with debian? -> read THIS!

  3. #3
    Linux Guru bigtomrodney's Avatar
    Join Date
    Nov 2004
    Location
    Ireland
    Posts
    6,133
    I get a lot of brute force ssh attempts. Damn script kiddies. They never get through. If you don't use ssh yourself I would either disable the daemon or tell your router not to forward port 22 - which is a little bit safer.

  4. #4
    Linux Newbie
    Join Date
    Aug 2004
    Location
    Malvern, UK
    Posts
    132
    Thanks for the replies.

    I do use ssh to access my home box from work, but not vice versa.

    If everyone seems happy that the potential intruder has not actually got in, I will just beef up my passwords a bit and keep an eye on the situation. I have been trying to set up passphrases using ssh-keygen but am having trouble copying the keys from the work box to the home box, if anyone can give me some advice on that process.

    I will do a bit more reading on the subject. Would it be right to assume that the passphrases and keys route will be more secure that username and password logins.

    Regards

    Bubo
    My Computer Once Beat Me at Chess, but it is No Match for Me at Kickboxing !

    Registered Linux User: #417183

  5. #5
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    It looks like they are not successful, but you don't know that positively. I think it's a pretty safe bet, though, based on what you see and don't see.

    Does slackware use xinetd or inetd as its super server? Either way, I would suggest restricting access to a range of IPs using xinetd's mechanism or tcp wrappers. Block the guy so he doesn't get a logon prompt at all.

  6. #6
    Just Joined!
    Join Date
    Jul 2005
    Location
    Inside the Kernel (somewhere)
    Posts
    41
    You're going to get these warnings, no matter what. People are just stupid and will try anything. This is why strong passwords should be required, and non guessable usernames are just as good.

  7. #7
    Linux Newbie
    Join Date
    Jun 2005
    Posts
    181
    Those are entirely normal, the moment I set up my server my logs got flooded with them. People will try common passwords on your system, but if you just use a random pass there's pretty much zero chance of them getting in. Only trouble is it can slow your box down, I've had bad slowdowns on my (admittedly crap) server, due to 30+ SSH login attempts a second, from a single IP. iptables is useful..
    200mhz Pentium 1 with MMX, 128mb RAM, 10gb Seagate HDD. Beastly.

  8. #8
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    If the OP ever reads this thread again, I still would suggest restricting access via tcp wrappers. Strong passwords are fine, but why give them the chance to log in at all?

  9. #9
    Just Joined!
    Join Date
    Dec 2004
    Posts
    22
    Another form of protection is to block out port 22 and use something beyond port 4000. You can create this configuration in /etc/ssh/sshd_conf file and restart sshd.

    Remember to utilize this port upon logging in. To 100% secure this server from attacks like this is to null root access from the outside. Create a user and sudo to root IF you have to do anything requiring root access.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •