[Logwatch] Under attack...

MrC lists-logwatch at cappella.us
Thu Feb 15 09:47:43 MST 2007


 

> -----Original Message-----
> From: Jim Douglas
> Subject: [Logwatch] Under attack...
> 
> I am under attack and was hoping someone help asses if there 
> was a successful break in or not...and the best course of action.
> 

This is normal when you have your ssh port on your firewall open.  The
script kiddies are relentless.


> When it says "Illegal users from:" does this mean they were 
> successful in loggin onto my server?

No.  Notice the hostname/IP also appears as Authentication FAILURES below.

> 
> I have these entried in my log file,
> 
> sshd:
>     Authentication Failures:
>        unknown (24.214.208.54): 317 Time(s)
>        root (24.214.208.54): 38 Time(s)
>        unknown (125.22.244.88): 23 Time(s)
>        mail (24.214.208.54): 2 Time(s)
>        ftp (125.22.244.88): 1 Time(s)
>        ftp (24.214.208.54): 1 Time(s)
>        operator (24.214.208.54): 1 Time(s)
>        postfix (125.22.244.88): 1 Time(s)
>        root (125.22.244.88): 1 Time(s)
>        root (127.0.0.1): 1 Time(s)
>        tomcat (125.22.244.88): 1 Time(s)
>     Invalid Users:
>        Unknown Account: 340 Time(s)
> 
> 
> ---------------------- pam_unix End -------------------------
> 
> --------------------- SSHD Begin ------------------------
> 
> Failed logins from:
>     24.214.208.54 (user-24-214-208-54.knology.net): 42 times
>     125.22.244.88 
> (dsl-TN-static-088.244.22.125.airtelbroadband.in): 4 times
>     127.0.0.1 (localhost.localdomain): 1 time
> 
> Illegal users from:
>     24.214.208.54 (user-24-214-208-54.knology.net): 317 times
>     125.22.244.88 
> (dsl-TN-static-088.244.22.125.airtelbroadband.in): 23 times
> 
> Users logging in through sshd:
>     nx:
>        216.229.21.70 (ip-26-39-21-70.hqglobal.net): 2 times
>     root:
>        127.0.0.1 (localhost.localdomain): 2 times

These users did log in.  Do you expect these two?

Do you have AllowUsers and AllowGroups configured?  You should.

And do you have "PermitRootLogin no".  You should.

Only allow non-root users access, and those that need root can use "sudo" or
"su".


> 
> Received disconnect:
>     11: Bye Bye : 385 Time(s)
> 



More information about the Logwatch mailing list