?
Solved

Repeated failed log ins from unauthorized / unknown sources

Posted on 2004-11-12
4
Medium Priority
?
497 Views
Last Modified: 2011-09-20
Regularly I see the following in my logs on a Fedora Core 2 box that acts as a DNS server.  I assume its a script kiddie trying to hack my box, but what should I do to ensure that I am as protected as possible.  I've set IPTables to firewall off every port that I don't need accessible, and turned off as many services as I can.

------------------------------------------------------------------
Failed logins from these:
   account/password from ::ffff:81.28.189.147: 5 Time(s)
   adam/password from ::ffff:81.28.189.147: 5 Time(s)
   adm/password from ::ffff:81.28.189.147: 10 Time(s)
   admin/password from ::ffff:218.21.129.105: 10 Time(s)
   admin/password from ::ffff:61.250.140.187: 10 Time(s)
   alan/password from ::ffff:81.28.189.147: 5 Time(s)
   apache/password from ::ffff:81.28.189.147: 5 Time(s)
   backup/password from ::ffff:81.28.189.147: 5 Time(s)
   cip51/password from ::ffff:81.28.189.147: 5 Time(s)
   cip52/password from ::ffff:81.28.189.147: 5 Time(s)
   cosmin/password from ::ffff:81.28.189.147: 5 Time(s)
   cyrus/password from ::ffff:81.28.189.147: 5 Time(s)
   data/password from ::ffff:81.28.189.147: 5 Time(s)
   frank/password from ::ffff:81.28.189.147: 5 Time(s)
   george/password from ::ffff:81.28.189.147: 5 Time(s)
   guest/password from ::ffff:218.21.129.105: 5 Time(s)
   guest/password from ::ffff:61.250.140.187: 5 Time(s)
   henry/password from ::ffff:81.28.189.147: 5 Time(s)
   horde/password from ::ffff:81.28.189.147: 5 Time(s)
   iceuser/password from ::ffff:81.28.189.147: 5 Time(s)
   irc/password from ::ffff:81.28.189.147: 10 Time(s)
   jane/password from ::ffff:81.28.189.147: 5 Time(s)
   john/password from ::ffff:81.28.189.147: 5 Time(s)
   master/password from ::ffff:81.28.189.147: 5 Time(s)
   matt/password from ::ffff:81.28.189.147: 5 Time(s)
   mysql/password from ::ffff:81.28.189.147: 5 Time(s)
   nobody/password from ::ffff:81.28.189.147: 5 Time(s)
   noc/password from ::ffff:81.28.189.147: 5 Time(s)
   operator/password from ::ffff:81.28.189.147: 5 Time(s)
   oracle/password from ::ffff:81.28.189.147: 5 Time(s)
   pamela/password from ::ffff:81.28.189.147: 5 Time(s)
   patrick/password from ::ffff:81.28.189.147: 10 Time(s)
   rolo/password from ::ffff:81.28.189.147: 5 Time(s)
   root/password from ::ffff:218.21.129.105: 15 Time(s)
   root/password from ::ffff:61.250.140.187: 5627 Time(s)
   root/password from ::ffff:81.28.189.147: 295 Time(s)
   server/password from ::ffff:81.28.189.147: 5 Time(s)
   sybase/password from ::ffff:81.28.189.147: 5 Time(s)
   test/password from ::ffff:218.21.129.105: 10 Time(s)
   test/password from ::ffff:61.250.140.187: 25 Time(s)
   test/password from ::ffff:81.28.189.147: 25 Time(s)
   user/password from ::ffff:218.21.129.105: 5 Time(s)
   user/password from ::ffff:61.250.140.187: 5 Time(s)
   user/password from ::ffff:81.28.189.147: 15 Time(s)
   web/password from ::ffff:81.28.189.147: 10 Time(s)
   webmaster/password from ::ffff:81.28.189.147: 5 Time(s)
   www-data/password from ::ffff:81.28.189.147: 5 Time(s)
   www/password from ::ffff:81.28.189.147: 5 Time(s)
   wwwrun/password from ::ffff:81.28.189.147: 5 Time(s)

Illegal users from these:
   account/none from ::ffff:81.28.189.147: 5 Time(s)
   account/password from ::ffff:81.28.189.147: 5 Time(s)
   adam/none from ::ffff:81.28.189.147: 5 Time(s)
   adam/password from ::ffff:81.28.189.147: 5 Time(s)
   admin/none from ::ffff:218.21.129.105: 10 Time(s)
   admin/none from ::ffff:61.250.140.187: 10 Time(s)
   admin/password from ::ffff:218.21.129.105: 10 Time(s)
   admin/password from ::ffff:61.250.140.187: 10 Time(s)
   alan/none from ::ffff:81.28.189.147: 5 Time(s)
   alan/password from ::ffff:81.28.189.147: 5 Time(s)
   backup/none from ::ffff:81.28.189.147: 5 Time(s)
   backup/password from ::ffff:81.28.189.147: 5 Time(s)
   cip51/none from ::ffff:81.28.189.147: 5 Time(s)
   cip51/password from ::ffff:81.28.189.147: 5 Time(s)
   cip52/none from ::ffff:81.28.189.147: 5 Time(s)
   cip52/password from ::ffff:81.28.189.147: 5 Time(s)
   cosmin/none from ::ffff:81.28.189.147: 5 Time(s)
   cosmin/password from ::ffff:81.28.189.147: 5 Time(s)
   cyrus/none from ::ffff:81.28.189.147: 5 Time(s)
   cyrus/password from ::ffff:81.28.189.147: 5 Time(s)
   data/none from ::ffff:81.28.189.147: 5 Time(s)
   data/password from ::ffff:81.28.189.147: 5 Time(s)
   frank/none from ::ffff:81.28.189.147: 5 Time(s)
   frank/password from ::ffff:81.28.189.147: 5 Time(s)
   george/none from ::ffff:81.28.189.147: 5 Time(s)
   george/password from ::ffff:81.28.189.147: 5 Time(s)
   guest/none from ::ffff:218.21.129.105: 5 Time(s)
   guest/none from ::ffff:61.250.140.187: 5 Time(s)
   guest/password from ::ffff:218.21.129.105: 5 Time(s)
   guest/password from ::ffff:61.250.140.187: 5 Time(s)
   henry/none from ::ffff:81.28.189.147: 5 Time(s)
   henry/password from ::ffff:81.28.189.147: 5 Time(s)
   horde/none from ::ffff:81.28.189.147: 5 Time(s)
   horde/password from ::ffff:81.28.189.147: 5 Time(s)
   iceuser/none from ::ffff:81.28.189.147: 5 Time(s)
   iceuser/password from ::ffff:81.28.189.147: 5 Time(s)
   irc/none from ::ffff:81.28.189.147: 10 Time(s)
   irc/password from ::ffff:81.28.189.147: 10 Time(s)
   jane/none from ::ffff:81.28.189.147: 5 Time(s)
   jane/password from ::ffff:81.28.189.147: 5 Time(s)
   john/none from ::ffff:81.28.189.147: 5 Time(s)
   john/password from ::ffff:81.28.189.147: 5 Time(s)
   master/none from ::ffff:81.28.189.147: 5 Time(s)
   master/password from ::ffff:81.28.189.147: 5 Time(s)
   matt/none from ::ffff:81.28.189.147: 5 Time(s)
   matt/password from ::ffff:81.28.189.147: 5 Time(s)
   mysql/none from ::ffff:81.28.189.147: 5 Time(s)
   mysql/password from ::ffff:81.28.189.147: 5 Time(s)
   noc/none from ::ffff:81.28.189.147: 5 Time(s)
   noc/password from ::ffff:81.28.189.147: 5 Time(s)
   oracle/none from ::ffff:81.28.189.147: 5 Time(s)
   oracle/password from ::ffff:81.28.189.147: 5 Time(s)
   pamela/none from ::ffff:81.28.189.147: 5 Time(s)
   pamela/password from ::ffff:81.28.189.147: 5 Time(s)
   patrick/none from ::ffff:81.28.189.147: 10 Time(s)
   patrick/password from ::ffff:81.28.189.147: 10 Time(s)
   rolo/none from ::ffff:81.28.189.147: 5 Time(s)
   rolo/password from ::ffff:81.28.189.147: 5 Time(s)
   server/none from ::ffff:81.28.189.147: 5 Time(s)
   server/password from ::ffff:81.28.189.147: 5 Time(s)
   sybase/none from ::ffff:81.28.189.147: 5 Time(s)
   sybase/password from ::ffff:81.28.189.147: 5 Time(s)
   test/none from ::ffff:218.21.129.105: 10 Time(s)
   test/none from ::ffff:61.250.140.187: 25 Time(s)
   test/none from ::ffff:81.28.189.147: 25 Time(s)
   test/password from ::ffff:218.21.129.105: 10 Time(s)
   test/password from ::ffff:61.250.140.187: 25 Time(s)
   test/password from ::ffff:81.28.189.147: 25 Time(s)
   user/none from ::ffff:218.21.129.105: 5 Time(s)
   user/none from ::ffff:61.250.140.187: 5 Time(s)
   user/none from ::ffff:81.28.189.147: 15 Time(s)
   user/password from ::ffff:218.21.129.105: 5 Time(s)
   user/password from ::ffff:61.250.140.187: 5 Time(s)
   user/password from ::ffff:81.28.189.147: 15 Time(s)
   web/none from ::ffff:81.28.189.147: 10 Time(s)
   web/password from ::ffff:81.28.189.147: 10 Time(s)
   webmaster/none from ::ffff:81.28.189.147: 5 Time(s)
   webmaster/password from ::ffff:81.28.189.147: 5 Time(s)
   www-data/none from ::ffff:81.28.189.147: 5 Time(s)
   www-data/password from ::ffff:81.28.189.147: 5 Time(s)
   www/none from ::ffff:81.28.189.147: 5 Time(s)
   www/password from ::ffff:81.28.189.147: 5 Time(s)
   wwwrun/none from ::ffff:81.28.189.147: 5 Time(s)
   wwwrun/password from ::ffff:81.28.189.147: 5 Time(s)
---------------------------------------------------------------------
0
Comment
Question by:larsenmatth
  • 2
4 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 12566620
Hi larsenmatth,
I get these aswell. I assume they are connection attempts via SSH?

Make sure you are not running telnet.
If you don't need remote access to the box then disable SSH.
If you do need remote access then I would change the SSH configuration to disable password authentication so that the only way you can gain access is with an authorised key.
0
 
LVL 1

Expert Comment

by:jharriss
ID: 12567400
I would also change ssh to not allow remote access to the root account.  This would slow an attacker down from totally owning your machine.  You might also want to block all access from the highest offending IP addresses using IP tables.
0
 

Author Comment

by:larsenmatth
ID: 12567821
grblades,

You are correct.  These are ssh connection attempts.  I've disallowed root access via ssh, and didn't have telnet running.  I'ld like to learn more about using an authorised key for access.  Do you have any info for me as to where I can find more about this?  I'm not familiar with it.  

I don't know that using IP tables to block the offending machine is the answer because it comes from a different machine everyday.
0
 
LVL 36

Accepted Solution

by:
grblades earned 1000 total points
ID: 12568143
Here are a few links on generating keys and installing them :-

http://www-106.ibm.com/developerworks/library/l-keyc.html
http://acd.ucar.edu/~fredrick/mpark/ssh/rsa-unix.html
http://www.puddingonline.com/~dave/publications/SSH-with-Keys-HOWTO/document/html-one-page/SSH-with-Keys-HOWTO.html

Once the keys are setup and working edit /etc/ssh/sshd_config and edit the following line so it has 'no' at the end:-
PasswordAuthentication no
Restart (SSHD (/etc/init.d/sshd restart) and now only key authentication will be permitted.
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Fine Tune your automatic Updates for Ubuntu / Debian
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…
Suggested Courses
Course of the Month14 days, 1 hour left to enroll

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question