Questions concerning Security Log
Paul Howarth
paul at city-fan.org
Thu Apr 7 07:49:38 UTC 2005
On Thu, 2005-04-07 at 09:14 +0300, Dotan Cohen wrote:
> As I'm still new to linux I like to open things and see what they are
> / do. So I opened the KDE System Logs program, clicked on over to
> Security logs, and found a bunch of these:
>
> Apr 4 02:15:03 localhost sshd[26567]: Failed password for invalid
> user test from ::ffff:219.238.239.10 port 3429 ssh2
This is a script kiddie trying to crack passwords on your ssh server.
> and these:
>
> Apr 5 04:47:24 localhost sshd[7287]: reverse mapping checking
> getaddrinfo for h169-210-68-8.adcast.com.tw failed - POSSIBLE BREAKIN
> ATTEMPT!
This is because reverse DNS for 210.68.8.169 (source of one of the
script kiddie attacks) points to the hostname
h169-210-68-8.adcast.com.tw but that name does not resolve. Not terribly
uncommon with incompetent ISPs.
> and many more like it. Is this something to worry about?
Yes it is, but it's nothing personal. Everyone running a ssh server that
isn't firewalled off except for specific IPs is probably getting them. I
know I am.
Suggestions:
1. Disable root logins in ssh (you can still log in as a regular user
and use "su") by putting "PermitRootLogin no" in /etc/ssh/sshd_config.
2. Make sure you use strong passwords for *all* accounts.
3. Consider turning off password authentication altogether and using
certificates instead.
> Chkrootkit
> didn't find anything suspicious, so that makes me feel a little
> better, but as I am unable to start firestarter I am a little nervous.
>
> By the way, what is the difference between chkrootkit and chkrootkitX?
> They both run in the terminal (I thought that chkrootkitX would open
> up in a gui or something).
Don't know; I've never used chkrootkit.
> Is it unsafe to put a copy of the log on my site and post a link to it
> here? it spans about 1500 lines, so I do not want to email it to the
> list.
Probably fairly safe but not very useful.
Paul.
--
Paul Howarth <paul at city-fan.org>
More information about the fedora-list
mailing list