larsenmatth
asked on
Repeated failed log ins from unauthorized / unknown sources
Regularly I see the following in my logs on a Fedora Core 2 box that acts as a DNS server. I assume its a script kiddie trying to hack my box, but what should I do to ensure that I am as protected as possible. I've set IPTables to firewall off every port that I don't need accessible, and turned off as many services as I can.
--------------------------
Failed logins from these:
account/password from ::ffff:81.28.189.147: 5 Time(s)
adam/password from ::ffff:81.28.189.147: 5 Time(s)
adm/password from ::ffff:81.28.189.147: 10 Time(s)
admin/password from ::ffff:218.21.129.105: 10 Time(s)
admin/password from ::ffff:61.250.140.187: 10 Time(s)
alan/password from ::ffff:81.28.189.147: 5 Time(s)
apache/password from ::ffff:81.28.189.147: 5 Time(s)
backup/password from ::ffff:81.28.189.147: 5 Time(s)
cip51/password from ::ffff:81.28.189.147: 5 Time(s)
cip52/password from ::ffff:81.28.189.147: 5 Time(s)
cosmin/password from ::ffff:81.28.189.147: 5 Time(s)
cyrus/password from ::ffff:81.28.189.147: 5 Time(s)
data/password from ::ffff:81.28.189.147: 5 Time(s)
frank/password from ::ffff:81.28.189.147: 5 Time(s)
george/password from ::ffff:81.28.189.147: 5 Time(s)
guest/password from ::ffff:218.21.129.105: 5 Time(s)
guest/password from ::ffff:61.250.140.187: 5 Time(s)
henry/password from ::ffff:81.28.189.147: 5 Time(s)
horde/password from ::ffff:81.28.189.147: 5 Time(s)
iceuser/password from ::ffff:81.28.189.147: 5 Time(s)
irc/password from ::ffff:81.28.189.147: 10 Time(s)
jane/password from ::ffff:81.28.189.147: 5 Time(s)
john/password from ::ffff:81.28.189.147: 5 Time(s)
master/password from ::ffff:81.28.189.147: 5 Time(s)
matt/password from ::ffff:81.28.189.147: 5 Time(s)
mysql/password from ::ffff:81.28.189.147: 5 Time(s)
nobody/password from ::ffff:81.28.189.147: 5 Time(s)
noc/password from ::ffff:81.28.189.147: 5 Time(s)
operator/password from ::ffff:81.28.189.147: 5 Time(s)
oracle/password from ::ffff:81.28.189.147: 5 Time(s)
pamela/password from ::ffff:81.28.189.147: 5 Time(s)
patrick/password from ::ffff:81.28.189.147: 10 Time(s)
rolo/password from ::ffff:81.28.189.147: 5 Time(s)
root/password from ::ffff:218.21.129.105: 15 Time(s)
root/password from ::ffff:61.250.140.187: 5627 Time(s)
root/password from ::ffff:81.28.189.147: 295 Time(s)
server/password from ::ffff:81.28.189.147: 5 Time(s)
sybase/password from ::ffff:81.28.189.147: 5 Time(s)
test/password from ::ffff:218.21.129.105: 10 Time(s)
test/password from ::ffff:61.250.140.187: 25 Time(s)
test/password from ::ffff:81.28.189.147: 25 Time(s)
user/password from ::ffff:218.21.129.105: 5 Time(s)
user/password from ::ffff:61.250.140.187: 5 Time(s)
user/password from ::ffff:81.28.189.147: 15 Time(s)
web/password from ::ffff:81.28.189.147: 10 Time(s)
webmaster/password from ::ffff:81.28.189.147: 5 Time(s)
www-data/password from ::ffff:81.28.189.147: 5 Time(s)
www/password from ::ffff:81.28.189.147: 5 Time(s)
wwwrun/password from ::ffff:81.28.189.147: 5 Time(s)
Illegal users from these:
account/none from ::ffff:81.28.189.147: 5 Time(s)
account/password from ::ffff:81.28.189.147: 5 Time(s)
adam/none from ::ffff:81.28.189.147: 5 Time(s)
adam/password from ::ffff:81.28.189.147: 5 Time(s)
admin/none from ::ffff:218.21.129.105: 10 Time(s)
admin/none from ::ffff:61.250.140.187: 10 Time(s)
admin/password from ::ffff:218.21.129.105: 10 Time(s)
admin/password from ::ffff:61.250.140.187: 10 Time(s)
alan/none from ::ffff:81.28.189.147: 5 Time(s)
alan/password from ::ffff:81.28.189.147: 5 Time(s)
backup/none from ::ffff:81.28.189.147: 5 Time(s)
backup/password from ::ffff:81.28.189.147: 5 Time(s)
cip51/none from ::ffff:81.28.189.147: 5 Time(s)
cip51/password from ::ffff:81.28.189.147: 5 Time(s)
cip52/none from ::ffff:81.28.189.147: 5 Time(s)
cip52/password from ::ffff:81.28.189.147: 5 Time(s)
cosmin/none from ::ffff:81.28.189.147: 5 Time(s)
cosmin/password from ::ffff:81.28.189.147: 5 Time(s)
cyrus/none from ::ffff:81.28.189.147: 5 Time(s)
cyrus/password from ::ffff:81.28.189.147: 5 Time(s)
data/none from ::ffff:81.28.189.147: 5 Time(s)
data/password from ::ffff:81.28.189.147: 5 Time(s)
frank/none from ::ffff:81.28.189.147: 5 Time(s)
frank/password from ::ffff:81.28.189.147: 5 Time(s)
george/none from ::ffff:81.28.189.147: 5 Time(s)
george/password from ::ffff:81.28.189.147: 5 Time(s)
guest/none from ::ffff:218.21.129.105: 5 Time(s)
guest/none from ::ffff:61.250.140.187: 5 Time(s)
guest/password from ::ffff:218.21.129.105: 5 Time(s)
guest/password from ::ffff:61.250.140.187: 5 Time(s)
henry/none from ::ffff:81.28.189.147: 5 Time(s)
henry/password from ::ffff:81.28.189.147: 5 Time(s)
horde/none from ::ffff:81.28.189.147: 5 Time(s)
horde/password from ::ffff:81.28.189.147: 5 Time(s)
iceuser/none from ::ffff:81.28.189.147: 5 Time(s)
iceuser/password from ::ffff:81.28.189.147: 5 Time(s)
irc/none from ::ffff:81.28.189.147: 10 Time(s)
irc/password from ::ffff:81.28.189.147: 10 Time(s)
jane/none from ::ffff:81.28.189.147: 5 Time(s)
jane/password from ::ffff:81.28.189.147: 5 Time(s)
john/none from ::ffff:81.28.189.147: 5 Time(s)
john/password from ::ffff:81.28.189.147: 5 Time(s)
master/none from ::ffff:81.28.189.147: 5 Time(s)
master/password from ::ffff:81.28.189.147: 5 Time(s)
matt/none from ::ffff:81.28.189.147: 5 Time(s)
matt/password from ::ffff:81.28.189.147: 5 Time(s)
mysql/none from ::ffff:81.28.189.147: 5 Time(s)
mysql/password from ::ffff:81.28.189.147: 5 Time(s)
noc/none from ::ffff:81.28.189.147: 5 Time(s)
noc/password from ::ffff:81.28.189.147: 5 Time(s)
oracle/none from ::ffff:81.28.189.147: 5 Time(s)
oracle/password from ::ffff:81.28.189.147: 5 Time(s)
pamela/none from ::ffff:81.28.189.147: 5 Time(s)
pamela/password from ::ffff:81.28.189.147: 5 Time(s)
patrick/none from ::ffff:81.28.189.147: 10 Time(s)
patrick/password from ::ffff:81.28.189.147: 10 Time(s)
rolo/none from ::ffff:81.28.189.147: 5 Time(s)
rolo/password from ::ffff:81.28.189.147: 5 Time(s)
server/none from ::ffff:81.28.189.147: 5 Time(s)
server/password from ::ffff:81.28.189.147: 5 Time(s)
sybase/none from ::ffff:81.28.189.147: 5 Time(s)
sybase/password from ::ffff:81.28.189.147: 5 Time(s)
test/none from ::ffff:218.21.129.105: 10 Time(s)
test/none from ::ffff:61.250.140.187: 25 Time(s)
test/none from ::ffff:81.28.189.147: 25 Time(s)
test/password from ::ffff:218.21.129.105: 10 Time(s)
test/password from ::ffff:61.250.140.187: 25 Time(s)
test/password from ::ffff:81.28.189.147: 25 Time(s)
user/none from ::ffff:218.21.129.105: 5 Time(s)
user/none from ::ffff:61.250.140.187: 5 Time(s)
user/none from ::ffff:81.28.189.147: 15 Time(s)
user/password from ::ffff:218.21.129.105: 5 Time(s)
user/password from ::ffff:61.250.140.187: 5 Time(s)
user/password from ::ffff:81.28.189.147: 15 Time(s)
web/none from ::ffff:81.28.189.147: 10 Time(s)
web/password from ::ffff:81.28.189.147: 10 Time(s)
webmaster/none from ::ffff:81.28.189.147: 5 Time(s)
webmaster/password from ::ffff:81.28.189.147: 5 Time(s)
www-data/none from ::ffff:81.28.189.147: 5 Time(s)
www-data/password from ::ffff:81.28.189.147: 5 Time(s)
www/none from ::ffff:81.28.189.147: 5 Time(s)
www/password from ::ffff:81.28.189.147: 5 Time(s)
wwwrun/none from ::ffff:81.28.189.147: 5 Time(s)
wwwrun/password from ::ffff:81.28.189.147: 5 Time(s)
--------------------------
--------------------------
Failed logins from these:
account/password from ::ffff:81.28.189.147: 5 Time(s)
adam/password from ::ffff:81.28.189.147: 5 Time(s)
adm/password from ::ffff:81.28.189.147: 10 Time(s)
admin/password from ::ffff:218.21.129.105: 10 Time(s)
admin/password from ::ffff:61.250.140.187: 10 Time(s)
alan/password from ::ffff:81.28.189.147: 5 Time(s)
apache/password from ::ffff:81.28.189.147: 5 Time(s)
backup/password from ::ffff:81.28.189.147: 5 Time(s)
cip51/password from ::ffff:81.28.189.147: 5 Time(s)
cip52/password from ::ffff:81.28.189.147: 5 Time(s)
cosmin/password from ::ffff:81.28.189.147: 5 Time(s)
cyrus/password from ::ffff:81.28.189.147: 5 Time(s)
data/password from ::ffff:81.28.189.147: 5 Time(s)
frank/password from ::ffff:81.28.189.147: 5 Time(s)
george/password from ::ffff:81.28.189.147: 5 Time(s)
guest/password from ::ffff:218.21.129.105: 5 Time(s)
guest/password from ::ffff:61.250.140.187: 5 Time(s)
henry/password from ::ffff:81.28.189.147: 5 Time(s)
horde/password from ::ffff:81.28.189.147: 5 Time(s)
iceuser/password from ::ffff:81.28.189.147: 5 Time(s)
irc/password from ::ffff:81.28.189.147: 10 Time(s)
jane/password from ::ffff:81.28.189.147: 5 Time(s)
john/password from ::ffff:81.28.189.147: 5 Time(s)
master/password from ::ffff:81.28.189.147: 5 Time(s)
matt/password from ::ffff:81.28.189.147: 5 Time(s)
mysql/password from ::ffff:81.28.189.147: 5 Time(s)
nobody/password from ::ffff:81.28.189.147: 5 Time(s)
noc/password from ::ffff:81.28.189.147: 5 Time(s)
operator/password from ::ffff:81.28.189.147: 5 Time(s)
oracle/password from ::ffff:81.28.189.147: 5 Time(s)
pamela/password from ::ffff:81.28.189.147: 5 Time(s)
patrick/password from ::ffff:81.28.189.147: 10 Time(s)
rolo/password from ::ffff:81.28.189.147: 5 Time(s)
root/password from ::ffff:218.21.129.105: 15 Time(s)
root/password from ::ffff:61.250.140.187: 5627 Time(s)
root/password from ::ffff:81.28.189.147: 295 Time(s)
server/password from ::ffff:81.28.189.147: 5 Time(s)
sybase/password from ::ffff:81.28.189.147: 5 Time(s)
test/password from ::ffff:218.21.129.105: 10 Time(s)
test/password from ::ffff:61.250.140.187: 25 Time(s)
test/password from ::ffff:81.28.189.147: 25 Time(s)
user/password from ::ffff:218.21.129.105: 5 Time(s)
user/password from ::ffff:61.250.140.187: 5 Time(s)
user/password from ::ffff:81.28.189.147: 15 Time(s)
web/password from ::ffff:81.28.189.147: 10 Time(s)
webmaster/password from ::ffff:81.28.189.147: 5 Time(s)
www-data/password from ::ffff:81.28.189.147: 5 Time(s)
www/password from ::ffff:81.28.189.147: 5 Time(s)
wwwrun/password from ::ffff:81.28.189.147: 5 Time(s)
Illegal users from these:
account/none from ::ffff:81.28.189.147: 5 Time(s)
account/password from ::ffff:81.28.189.147: 5 Time(s)
adam/none from ::ffff:81.28.189.147: 5 Time(s)
adam/password from ::ffff:81.28.189.147: 5 Time(s)
admin/none from ::ffff:218.21.129.105: 10 Time(s)
admin/none from ::ffff:61.250.140.187: 10 Time(s)
admin/password from ::ffff:218.21.129.105: 10 Time(s)
admin/password from ::ffff:61.250.140.187: 10 Time(s)
alan/none from ::ffff:81.28.189.147: 5 Time(s)
alan/password from ::ffff:81.28.189.147: 5 Time(s)
backup/none from ::ffff:81.28.189.147: 5 Time(s)
backup/password from ::ffff:81.28.189.147: 5 Time(s)
cip51/none from ::ffff:81.28.189.147: 5 Time(s)
cip51/password from ::ffff:81.28.189.147: 5 Time(s)
cip52/none from ::ffff:81.28.189.147: 5 Time(s)
cip52/password from ::ffff:81.28.189.147: 5 Time(s)
cosmin/none from ::ffff:81.28.189.147: 5 Time(s)
cosmin/password from ::ffff:81.28.189.147: 5 Time(s)
cyrus/none from ::ffff:81.28.189.147: 5 Time(s)
cyrus/password from ::ffff:81.28.189.147: 5 Time(s)
data/none from ::ffff:81.28.189.147: 5 Time(s)
data/password from ::ffff:81.28.189.147: 5 Time(s)
frank/none from ::ffff:81.28.189.147: 5 Time(s)
frank/password from ::ffff:81.28.189.147: 5 Time(s)
george/none from ::ffff:81.28.189.147: 5 Time(s)
george/password from ::ffff:81.28.189.147: 5 Time(s)
guest/none from ::ffff:218.21.129.105: 5 Time(s)
guest/none from ::ffff:61.250.140.187: 5 Time(s)
guest/password from ::ffff:218.21.129.105: 5 Time(s)
guest/password from ::ffff:61.250.140.187: 5 Time(s)
henry/none from ::ffff:81.28.189.147: 5 Time(s)
henry/password from ::ffff:81.28.189.147: 5 Time(s)
horde/none from ::ffff:81.28.189.147: 5 Time(s)
horde/password from ::ffff:81.28.189.147: 5 Time(s)
iceuser/none from ::ffff:81.28.189.147: 5 Time(s)
iceuser/password from ::ffff:81.28.189.147: 5 Time(s)
irc/none from ::ffff:81.28.189.147: 10 Time(s)
irc/password from ::ffff:81.28.189.147: 10 Time(s)
jane/none from ::ffff:81.28.189.147: 5 Time(s)
jane/password from ::ffff:81.28.189.147: 5 Time(s)
john/none from ::ffff:81.28.189.147: 5 Time(s)
john/password from ::ffff:81.28.189.147: 5 Time(s)
master/none from ::ffff:81.28.189.147: 5 Time(s)
master/password from ::ffff:81.28.189.147: 5 Time(s)
matt/none from ::ffff:81.28.189.147: 5 Time(s)
matt/password from ::ffff:81.28.189.147: 5 Time(s)
mysql/none from ::ffff:81.28.189.147: 5 Time(s)
mysql/password from ::ffff:81.28.189.147: 5 Time(s)
noc/none from ::ffff:81.28.189.147: 5 Time(s)
noc/password from ::ffff:81.28.189.147: 5 Time(s)
oracle/none from ::ffff:81.28.189.147: 5 Time(s)
oracle/password from ::ffff:81.28.189.147: 5 Time(s)
pamela/none from ::ffff:81.28.189.147: 5 Time(s)
pamela/password from ::ffff:81.28.189.147: 5 Time(s)
patrick/none from ::ffff:81.28.189.147: 10 Time(s)
patrick/password from ::ffff:81.28.189.147: 10 Time(s)
rolo/none from ::ffff:81.28.189.147: 5 Time(s)
rolo/password from ::ffff:81.28.189.147: 5 Time(s)
server/none from ::ffff:81.28.189.147: 5 Time(s)
server/password from ::ffff:81.28.189.147: 5 Time(s)
sybase/none from ::ffff:81.28.189.147: 5 Time(s)
sybase/password from ::ffff:81.28.189.147: 5 Time(s)
test/none from ::ffff:218.21.129.105: 10 Time(s)
test/none from ::ffff:61.250.140.187: 25 Time(s)
test/none from ::ffff:81.28.189.147: 25 Time(s)
test/password from ::ffff:218.21.129.105: 10 Time(s)
test/password from ::ffff:61.250.140.187: 25 Time(s)
test/password from ::ffff:81.28.189.147: 25 Time(s)
user/none from ::ffff:218.21.129.105: 5 Time(s)
user/none from ::ffff:61.250.140.187: 5 Time(s)
user/none from ::ffff:81.28.189.147: 15 Time(s)
user/password from ::ffff:218.21.129.105: 5 Time(s)
user/password from ::ffff:61.250.140.187: 5 Time(s)
user/password from ::ffff:81.28.189.147: 15 Time(s)
web/none from ::ffff:81.28.189.147: 10 Time(s)
web/password from ::ffff:81.28.189.147: 10 Time(s)
webmaster/none from ::ffff:81.28.189.147: 5 Time(s)
webmaster/password from ::ffff:81.28.189.147: 5 Time(s)
www-data/none from ::ffff:81.28.189.147: 5 Time(s)
www-data/password from ::ffff:81.28.189.147: 5 Time(s)
www/none from ::ffff:81.28.189.147: 5 Time(s)
www/password from ::ffff:81.28.189.147: 5 Time(s)
wwwrun/none from ::ffff:81.28.189.147: 5 Time(s)
wwwrun/password from ::ffff:81.28.189.147: 5 Time(s)
--------------------------
I would also change ssh to not allow remote access to the root account. This would slow an attacker down from totally owning your machine. You might also want to block all access from the highest offending IP addresses using IP tables.
ASKER
grblades,
You are correct. These are ssh connection attempts. I've disallowed root access via ssh, and didn't have telnet running. I'ld like to learn more about using an authorised key for access. Do you have any info for me as to where I can find more about this? I'm not familiar with it.
I don't know that using IP tables to block the offending machine is the answer because it comes from a different machine everyday.
You are correct. These are ssh connection attempts. I've disallowed root access via ssh, and didn't have telnet running. I'ld like to learn more about using an authorised key for access. Do you have any info for me as to where I can find more about this? I'm not familiar with it.
I don't know that using IP tables to block the offending machine is the answer because it comes from a different machine everyday.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I get these aswell. I assume they are connection attempts via SSH?
Make sure you are not running telnet.
If you don't need remote access to the box then disable SSH.
If you do need remote access then I would change the SSH configuration to disable password authentication so that the only way you can gain access is with an authorised key.