Repeated failed log ins from unauthorized / unknown sources

Regularly I see the following in my logs on a Fedora Core 2 box that acts as a DNS server.  I assume its a script kiddie trying to hack my box, but what should I do to ensure that I am as protected as possible.  I've set IPTables to firewall off every port that I don't need accessible, and turned off as many services as I can.

------------------------------------------------------------------
Failed logins from these:
   account/password from ::ffff:81.28.189.147: 5 Time(s)
   adam/password from ::ffff:81.28.189.147: 5 Time(s)
   adm/password from ::ffff:81.28.189.147: 10 Time(s)
   admin/password from ::ffff:218.21.129.105: 10 Time(s)
   admin/password from ::ffff:61.250.140.187: 10 Time(s)
   alan/password from ::ffff:81.28.189.147: 5 Time(s)
   apache/password from ::ffff:81.28.189.147: 5 Time(s)
   backup/password from ::ffff:81.28.189.147: 5 Time(s)
   cip51/password from ::ffff:81.28.189.147: 5 Time(s)
   cip52/password from ::ffff:81.28.189.147: 5 Time(s)
   cosmin/password from ::ffff:81.28.189.147: 5 Time(s)
   cyrus/password from ::ffff:81.28.189.147: 5 Time(s)
   data/password from ::ffff:81.28.189.147: 5 Time(s)
   frank/password from ::ffff:81.28.189.147: 5 Time(s)
   george/password from ::ffff:81.28.189.147: 5 Time(s)
   guest/password from ::ffff:218.21.129.105: 5 Time(s)
   guest/password from ::ffff:61.250.140.187: 5 Time(s)
   henry/password from ::ffff:81.28.189.147: 5 Time(s)
   horde/password from ::ffff:81.28.189.147: 5 Time(s)
   iceuser/password from ::ffff:81.28.189.147: 5 Time(s)
   irc/password from ::ffff:81.28.189.147: 10 Time(s)
   jane/password from ::ffff:81.28.189.147: 5 Time(s)
   john/password from ::ffff:81.28.189.147: 5 Time(s)
   master/password from ::ffff:81.28.189.147: 5 Time(s)
   matt/password from ::ffff:81.28.189.147: 5 Time(s)
   mysql/password from ::ffff:81.28.189.147: 5 Time(s)
   nobody/password from ::ffff:81.28.189.147: 5 Time(s)
   noc/password from ::ffff:81.28.189.147: 5 Time(s)
   operator/password from ::ffff:81.28.189.147: 5 Time(s)
   oracle/password from ::ffff:81.28.189.147: 5 Time(s)
   pamela/password from ::ffff:81.28.189.147: 5 Time(s)
   patrick/password from ::ffff:81.28.189.147: 10 Time(s)
   rolo/password from ::ffff:81.28.189.147: 5 Time(s)
   root/password from ::ffff:218.21.129.105: 15 Time(s)
   root/password from ::ffff:61.250.140.187: 5627 Time(s)
   root/password from ::ffff:81.28.189.147: 295 Time(s)
   server/password from ::ffff:81.28.189.147: 5 Time(s)
   sybase/password from ::ffff:81.28.189.147: 5 Time(s)
   test/password from ::ffff:218.21.129.105: 10 Time(s)
   test/password from ::ffff:61.250.140.187: 25 Time(s)
   test/password from ::ffff:81.28.189.147: 25 Time(s)
   user/password from ::ffff:218.21.129.105: 5 Time(s)
   user/password from ::ffff:61.250.140.187: 5 Time(s)
   user/password from ::ffff:81.28.189.147: 15 Time(s)
   web/password from ::ffff:81.28.189.147: 10 Time(s)
   webmaster/password from ::ffff:81.28.189.147: 5 Time(s)
   www-data/password from ::ffff:81.28.189.147: 5 Time(s)
   www/password from ::ffff:81.28.189.147: 5 Time(s)
   wwwrun/password from ::ffff:81.28.189.147: 5 Time(s)

Illegal users from these:
   account/none from ::ffff:81.28.189.147: 5 Time(s)
   account/password from ::ffff:81.28.189.147: 5 Time(s)
   adam/none from ::ffff:81.28.189.147: 5 Time(s)
   adam/password from ::ffff:81.28.189.147: 5 Time(s)
   admin/none from ::ffff:218.21.129.105: 10 Time(s)
   admin/none from ::ffff:61.250.140.187: 10 Time(s)
   admin/password from ::ffff:218.21.129.105: 10 Time(s)
   admin/password from ::ffff:61.250.140.187: 10 Time(s)
   alan/none from ::ffff:81.28.189.147: 5 Time(s)
   alan/password from ::ffff:81.28.189.147: 5 Time(s)
   backup/none from ::ffff:81.28.189.147: 5 Time(s)
   backup/password from ::ffff:81.28.189.147: 5 Time(s)
   cip51/none from ::ffff:81.28.189.147: 5 Time(s)
   cip51/password from ::ffff:81.28.189.147: 5 Time(s)
   cip52/none from ::ffff:81.28.189.147: 5 Time(s)
   cip52/password from ::ffff:81.28.189.147: 5 Time(s)
   cosmin/none from ::ffff:81.28.189.147: 5 Time(s)
   cosmin/password from ::ffff:81.28.189.147: 5 Time(s)
   cyrus/none from ::ffff:81.28.189.147: 5 Time(s)
   cyrus/password from ::ffff:81.28.189.147: 5 Time(s)
   data/none from ::ffff:81.28.189.147: 5 Time(s)
   data/password from ::ffff:81.28.189.147: 5 Time(s)
   frank/none from ::ffff:81.28.189.147: 5 Time(s)
   frank/password from ::ffff:81.28.189.147: 5 Time(s)
   george/none from ::ffff:81.28.189.147: 5 Time(s)
   george/password from ::ffff:81.28.189.147: 5 Time(s)
   guest/none from ::ffff:218.21.129.105: 5 Time(s)
   guest/none from ::ffff:61.250.140.187: 5 Time(s)
   guest/password from ::ffff:218.21.129.105: 5 Time(s)
   guest/password from ::ffff:61.250.140.187: 5 Time(s)
   henry/none from ::ffff:81.28.189.147: 5 Time(s)
   henry/password from ::ffff:81.28.189.147: 5 Time(s)
   horde/none from ::ffff:81.28.189.147: 5 Time(s)
   horde/password from ::ffff:81.28.189.147: 5 Time(s)
   iceuser/none from ::ffff:81.28.189.147: 5 Time(s)
   iceuser/password from ::ffff:81.28.189.147: 5 Time(s)
   irc/none from ::ffff:81.28.189.147: 10 Time(s)
   irc/password from ::ffff:81.28.189.147: 10 Time(s)
   jane/none from ::ffff:81.28.189.147: 5 Time(s)
   jane/password from ::ffff:81.28.189.147: 5 Time(s)
   john/none from ::ffff:81.28.189.147: 5 Time(s)
   john/password from ::ffff:81.28.189.147: 5 Time(s)
   master/none from ::ffff:81.28.189.147: 5 Time(s)
   master/password from ::ffff:81.28.189.147: 5 Time(s)
   matt/none from ::ffff:81.28.189.147: 5 Time(s)
   matt/password from ::ffff:81.28.189.147: 5 Time(s)
   mysql/none from ::ffff:81.28.189.147: 5 Time(s)
   mysql/password from ::ffff:81.28.189.147: 5 Time(s)
   noc/none from ::ffff:81.28.189.147: 5 Time(s)
   noc/password from ::ffff:81.28.189.147: 5 Time(s)
   oracle/none from ::ffff:81.28.189.147: 5 Time(s)
   oracle/password from ::ffff:81.28.189.147: 5 Time(s)
   pamela/none from ::ffff:81.28.189.147: 5 Time(s)
   pamela/password from ::ffff:81.28.189.147: 5 Time(s)
   patrick/none from ::ffff:81.28.189.147: 10 Time(s)
   patrick/password from ::ffff:81.28.189.147: 10 Time(s)
   rolo/none from ::ffff:81.28.189.147: 5 Time(s)
   rolo/password from ::ffff:81.28.189.147: 5 Time(s)
   server/none from ::ffff:81.28.189.147: 5 Time(s)
   server/password from ::ffff:81.28.189.147: 5 Time(s)
   sybase/none from ::ffff:81.28.189.147: 5 Time(s)
   sybase/password from ::ffff:81.28.189.147: 5 Time(s)
   test/none from ::ffff:218.21.129.105: 10 Time(s)
   test/none from ::ffff:61.250.140.187: 25 Time(s)
   test/none from ::ffff:81.28.189.147: 25 Time(s)
   test/password from ::ffff:218.21.129.105: 10 Time(s)
   test/password from ::ffff:61.250.140.187: 25 Time(s)
   test/password from ::ffff:81.28.189.147: 25 Time(s)
   user/none from ::ffff:218.21.129.105: 5 Time(s)
   user/none from ::ffff:61.250.140.187: 5 Time(s)
   user/none from ::ffff:81.28.189.147: 15 Time(s)
   user/password from ::ffff:218.21.129.105: 5 Time(s)
   user/password from ::ffff:61.250.140.187: 5 Time(s)
   user/password from ::ffff:81.28.189.147: 15 Time(s)
   web/none from ::ffff:81.28.189.147: 10 Time(s)
   web/password from ::ffff:81.28.189.147: 10 Time(s)
   webmaster/none from ::ffff:81.28.189.147: 5 Time(s)
   webmaster/password from ::ffff:81.28.189.147: 5 Time(s)
   www-data/none from ::ffff:81.28.189.147: 5 Time(s)
   www-data/password from ::ffff:81.28.189.147: 5 Time(s)
   www/none from ::ffff:81.28.189.147: 5 Time(s)
   www/password from ::ffff:81.28.189.147: 5 Time(s)
   wwwrun/none from ::ffff:81.28.189.147: 5 Time(s)
   wwwrun/password from ::ffff:81.28.189.147: 5 Time(s)
---------------------------------------------------------------------
larsenmatthAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

grbladesCommented:
Hi larsenmatth,
I get these aswell. I assume they are connection attempts via SSH?

Make sure you are not running telnet.
If you don't need remote access to the box then disable SSH.
If you do need remote access then I would change the SSH configuration to disable password authentication so that the only way you can gain access is with an authorised key.
0
jharrissCommented:
I would also change ssh to not allow remote access to the root account.  This would slow an attacker down from totally owning your machine.  You might also want to block all access from the highest offending IP addresses using IP tables.
0
larsenmatthAuthor Commented:
grblades,

You are correct.  These are ssh connection attempts.  I've disallowed root access via ssh, and didn't have telnet running.  I'ld like to learn more about using an authorised key for access.  Do you have any info for me as to where I can find more about this?  I'm not familiar with it.  

I don't know that using IP tables to block the offending machine is the answer because it comes from a different machine everyday.
0
grbladesCommented:
Here are a few links on generating keys and installing them :-

http://www-106.ibm.com/developerworks/library/l-keyc.html
http://acd.ucar.edu/~fredrick/mpark/ssh/rsa-unix.html
http://www.puddingonline.com/~dave/publications/SSH-with-Keys-HOWTO/document/html-one-page/SSH-with-Keys-HOWTO.html

Once the keys are setup and working edit /etc/ssh/sshd_config and edit the following line so it has 'no' at the end:-
PasswordAuthentication no
Restart (SSHD (/etc/init.d/sshd restart) and now only key authentication will be permitted.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.