Koozali.org: home of the SME Server

Legacy Forums => General Discussion (Legacy) => Topic started by: funkusmunkus on September 06, 2004, 04:58:51 AM

Title: logon attemps on my server
Post by: funkusmunkus on September 06, 2004, 04:58:51 AM

Hi all,

I just found hole bunch of these in my logs
Sep  4 21:06:03 servername sshd(pam_unix)[4255]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=221.12.11.118  user=admin
Sep  4 21:06:05 servername sshd[4255]: Failed password for admin from 221.12.11.118 port 33967 ssh2
Sep  4 21:06:06 servername sshd[4255]: Received disconnect from 221.12.11.118: 11: Bye Bye
Sep  4 21:06:08 servername sshd[4256]: Could not reverse map address 221.12.11.118

But every time it said failed paswword and no record of any logon.
so could i guess that they failed ?
i mean if they did access my server and decided to edit the logs then they would have taken out the failed attempts as well.

Title: logon attemps on my server
Post by: cc_skavenger on September 06, 2004, 08:50:41 AM

there are a bunch of ssh programs that hackers use to try to find unsecure boxes.  they try standard user names and common passwords.  not much too do about it, but have strong passwords.

HTH

Title: logon attemps on my server
Post by: funkusmunkus on September 06, 2004, 09:01:33 AM

Yeah i thought it was something like that, but i thought acid/snort would pick up the attempts in it's alerts, but nothing.

anyway i have a pretty good password, as long as it's impossable to guess and it gets changed every few months i take it i should be all right.

Title: logon attemps on my server
Post by: raem on September 06, 2004, 11:07:36 AM

You could also disable Public ssh access and just use VPN/Private ssh access. Nice and secure then.

Title: logon attemps on my server
Post by: funkusmunkus on September 07, 2004, 10:35:17 AM

Well Ray i took your advice and disabled remote SSH on both machines.
I also found another few logon attempts today but instead of being root and admin, it was test and guest.
worms on drone machines are a menace to us all, but give people like me more work  ;-)

Title: logon attemps on my server
Post by: funkusmunkus on September 08, 2004, 09:41:03 AM

Well Ray after getting home and going through my server logs i decided that I'll definitely take your advice, i had 2 and a half hours of ssh2 login attempts, at 3 attempts per 10 seconds, trying to access the root account :P
of course the password is really hard to guess, and rkhunter didn't report any changes, so I'm safe for another day.
but damn it acid snort didn't report anything at all, i may haven't installed it correctly.