[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sheflug] strange server logs, do I have a problem or a script kiddie...

To: shef-lug [at] xxxxxxxxxxxxxxxxxxx
Subject: Re: [Sheflug] strange server logs, do I have a problem or a script kiddie...
From: "Chris J" <cej [at] xxxxxxxxxxxxxxxx>
Date: Tue, 26 Oct 2004 19:59:30 +0100
Delivered-to: shef-lug [at] list.sheflug.org.uk
List-help: <mailto:shef-lug-request [at] list.sheflug.org.uk?subject=help>
List-id: Sheflug <shef-lug.list.sheflug.org.uk>
List-post: <mailto:shef-lug [at] list.sheflug.org.uk>
List-subscribe: <http://community.uklinux.net/mailman/listinfo/shef-lug>,<mailto:shef-lug-request [at] list.sheflug.org.uk?subject=subscribe>
List-unsubscribe: <http://community.uklinux.net/mailman/listinfo/shef-lug>,<mailto:shef-lug-request [at] list.sheflug.org.uk?subject=unsubscribe>
Reply-to: shef-lug [at] xxxxxxxxxxxxxxxxxxx
Sender: shef-lug-admin [at] xxxxxxxxxxxxxxxxxxx

And Lo! The Great Prophet "Rob Keeling" uttered these words of wisdom:
> This is a multi-part message in MIME format.
> 
> On multiple servers, across three sites but all with external ips with =
> the same isp I keep seeing logs like the following.
> 
> Oct 26 19:29:48 morticia sshd[7913]: Illegal user john from =
> ::ffff:203.131.103.46
> Oct 26 19:29:48 morticia sshd[7913]: reverse mapping checking =
> getaddrinfo for adsl-131.103.46.info.com.ph failed - POSSIBLE BREAKIN =
> ATTEMPT
> 
> Should I be worried about this? it seems someone or something is looping =
> usernames to break in.
> 

It depends how paranoid you are :-) The log isn't strange, it's normal; the 
::ffff:203.131.103.46 address is the IPv6 form of the IPv4 address 
203.131.103.46. The failure of the reverse mapping is just misconfigured 
DNS (sshd takes IP address, does rDNS to get the name, then does a DNS 
lookup of the name to get the IP. If all is well -- the IP from this lookup 
matches the first IP).

Now, if you've got good passwords on your box, I wouldn't worry; just keep 
an eye on it -- its an occupational hazard of having a box online. 
Depending on your access requirements you may want to consider firewalling 
to only allow certain hosts, or using the hosts_access configuration to 
block that domain (or allow certain domains).

Certainly I see sshd attempts on a regular basis on a remote server, and 
I've not lost any sleep over it (yet).  Just make sure your up to date with 
security patches for ssh, and providing you trust your users have got 
sensible passwords, your box'll be fine. Every now and then, you'll want to 
do a sanity check of the box (trawl logs, check configs, make sure no 
unknown processes are running, check ~root/.bash_history, .sh_history, etc; 
lastcomm if you have process accounting etc etc) to ensure all is good.

The final judge though is you and your paranoia :-) 

One think to really make sure though: ensure that in /etc/ssh/sshd_config
(or wherever your sshd_config lives) "PermitRootLogins" is disabled. Should 
never log in remotely from anywhere as root :-)

Chris...

-- 
\ Chris Johnson                 \ NP: Red20 - Kill Yourself, It's Christmas
 \ cej [at] nightwolf.org.uk          \ ! 
  \ http://cej.nightwolf.org.uk/  \ 
   \ http://redclaw.org.uk/        ~---------------------------------------


___________________________________________________________________

Sheffield Linux User's Group -
http://www.sheflug.co.uk/mailfaq.html

  GNU the choice of a complete generation.

References:
- [Sheflug] strange server logs, do I have a problem or a script kiddie...
  - From: Rob Keeling

Prev by Date: [Sheflug] strange server logs, do I have a problem or a script kiddie...
Next by Date: [Sheflug] Re: strange server logs, do I have a problem or a script kiddie...
Previous by thread: [Sheflug] strange server logs, do I have a problem or a script kiddie...
Next by thread: [Sheflug] Re: strange server logs, do I have a problem or a script kiddie...
Index(es):
- Date
- Thread