Hi everyone,
I sometimes administer a remote server in a very small office we have, the method I use, is logging on to
https://servername/server-manager and enabling ssh, then logging on as root using putty, and doing what I need to do, and when I’m done I disable ssh, and that’s the end of that, mind you the server is behind a firewall with only ports 22 and 443 forwarded to it, and is in server only mode, and is only a file server.
How ever last week when I was done I forgot to disable ssh, and found quite a few attempts to break in using all sorts of names, and from different IP addresses, normally I would assume that there wasn’t a problem (the password is very stong) and go on my daily work, but when I was looking through server-manager with the sysmon contrib. I noticed that the server recently had been restarted (15 hours before), I thought it might have been a blackout, but I checked the proxy server that is plugged into the same power supply as the other one, and did an uptime, and found out it wasn’t a blackout.
I’m getting a little nervous, reinstalling the server is an option I’m considering, but only as a last resort.
Here’s a sample of the “messages” log file just before it restarted:
Nov 27 16:01:06 master sshd[24216]: Failed password for root from 200.204.183.250 port 53960 ssh2
Nov 27 16:01:11 master sshd[24218]: Failed password for root from 200.204.183.250 port 53989 ssh2
Nov 27 16:01:16 master sshd[24220]: Failed password for root from 200.204.183.250 port 54017 ssh2
Nov 27 16:01:21 master sshd[24222]: Failed password for root from 200.204.183.250 port 54045 ssh2
Nov 27 16:01:26 master sshd[24224]: Failed password for root from 200.204.183.250 port 54074 ssh2
Nov 27 16:01:31 master sshd[24226]: Failed password for root from 200.204.183.250 port 54102 ssh2
Nov 27 16:01:36 master sshd[24228]: Failed password for root from 200.204.183.250 port 54132 ssh2
Nov 27 16:01:42 master sshd[24230]: Failed password for root from 200.204.183.250 port 54162 ssh2
Nov 27 16:01:49 master sshd[24232]: Failed password for root from 200.204.183.250 port 54594 ssh2
Nov 27 16:01:57 master sshd[24234]: Failed password for root from 200.204.183.250 port 55112 ssh2
Nov 27 16:02:09 master sshd[24236]: Failed password for root from 200.204.183.250 port 56037 ssh2
Nov 27 17:11:25 master syslogd 1.4.1: restart.
Nov 27 17:11:25 master syslog: syslogd startup succeeded
Nov 27 17:11:25 master syslog: ^[[60G
Nov 27 17:11:25 master syslog:
Nov 27 17:11:25 master syslog: Starting kernel logger:
Nov 27 17:11:25 master kernel: klogd 1.4.1, log source = /proc/kmsg started.
Nov 27 17:11:25 master kernel: Inspecting /boot/System.map-2.4.20-18.7smp
Nov 27 17:11:25 master syslog: klogd startup succeeded
Nov 27 17:11:25 master syslog: ^[[60G
Nov 27 17:11:25 master syslog:
Nov 27 17:11:25 master rc: Starting syslog: succeededSo as you can see I’m not sure why the server restarted.
Any ideas?? I’m sure it’s nothing, but better safe than sorry.
And just to finish it off, I’m already in the process of implementing private key’s for ssh, and I’m currently installing the latest updates using yum.
(SME 6.0.1 mostly up to date, using the updates mentioned in the SMEPLUS script, but not using the script its self)
cheers
2 Replies
1260 Views