Logwatch beginning to worry me ?

chaseivey
chaseivey used Ask the Experts™
on
Hello,
I have linux server running CentOS, Apache, mySQL.
I have an external Cisco firewall, and I currently connect to my server via SSH or Plesk 9.

I have recently reviewed several 'logwatch' emails sent to me from my server.  The content of these emails is beginning to worry me.  There are over a hundred unauthorized attempts at accessing my server with usernames anywhere from 'Bob' to 'madman86'.  I am the ONLY person who even knows about my server, so I'm wondering if these are hacking attempts?  If so, is this normal? Is this something I should worry about? What is the best safeguard against these 'attempts'?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
These are the hacking attempts. You can block the IPs from these traffics are comming.

There are lots of shell and perl scripts available which can block the IPs as per the failure attempts.
Ernie BeekSenior infrastructure engineer
Top Expert 2012
Commented:
As upanwar says, you can block the distinct addresses from where these attemps are being made. Or, even better, if you connect from a specific address (or range) you can just allow those and block the rest (in the ASA off course).

The thing is if you open up the SSH port for connections from any address, a simple portscan will reveal that port as being open.
You can also open up a high (randomly chosen) port and forward that to the SSH port on the inside.

Author

Commented:
Thanks guys.  I think I'm gonna just limit the ssh access to the 2 places I ever connect.  Sounds like that's my best bet. :)
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Think so. There should be a lot less attempts then.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial