Password scan
- From: "christian_sava" <ChSava@xxxxxxxxx>
- Date: 21 Dec 2006 10:19:17 -0800
Hi everyone! I am not that experienced with Linux security problems and
how to deal with them, and I am encountering some problems that I don't
know very well how to deal with. Maybe some more experienced people
could help me with an advice.
What's happening? After running the "lastb" commands, I can see a lot
of failed attempts to login into my Linux server - it just goes on
every night, from different IP addresses. Here is a sample of what the
"lastb" command shows:
gem ssh:notty 60.248.215.110 Thu Dec 21 02:14 - 02:14
(00:00)
ansel ssh:notty 60.248.215.110 Thu Dec 21 02:14 - 02:14
(00:00)
ansel ssh:notty 60.248.215.110 Thu Dec 21 02:14 - 02:14
(00:00)
weaken ssh:notty 60.248.215.110 Thu Dec 21 02:14 - 02:14
(00:00)
weaken ssh:notty 60.248.215.110 Thu Dec 21 02:14 - 02:14
(00:00)
sne ssh:notty 60.248.215.110 Thu Dec 21 02:14 - 02:14
(00:00)
sne ssh:notty 60.248.215.110 Thu Dec 21 02:14 - 02:14
(00:00)
relf ssh:notty 60.248.215.110 Thu Dec 21 02:14 - 02:14
(00:00)
relf ssh:notty 60.248.215.110 Thu Dec 21 02:14 - 02:14
(00:00)
mi ssh:notty 60.248.215.110 Thu Dec 21 02:14 - 02:14
(00:00)
mi ssh:notty 60.248.215.110 Thu Dec 21 02:14 - 02:14
(00:00)
linss ssh:notty 60.248.215.110 Thu Dec 21 02:14 - 02:14
(00:00)
linss ssh:notty 60.248.215.110 Thu Dec 21 02:14 - 02:14
(00:00)
jean ssh:notty 60.248.215.110 Thu Dec 21 02:14 - 02:14
(00:00)
jean ssh:notty 60.248.215.110 Thu Dec 21 02:14 - 02:14
(00:00)
hansen ssh:notty 60.248.215.110 Thu Dec 21 02:14 - 02:14
(00:00) .
Fortunately, it seems there has not been any successful attempt, as the
"last" command shows nothing suspicious, only the expected connections
from the trusted hosts. But I am still worried that somebody might find
a way to break in eventually, because this kind of password scanning
goes on continuosly. What I did was just disable login from all user
accounts different than root, by means of the sshd_config file, and
made sure the root password is strong enough. Is there anything else I
should do in this situation? What about trying to follow up on the IP
addresses appearing inside the log, to see where the aggressors are
coming from? Is there any way I can take action against this
unauthorized scanning of my machine? Or maybe the IP addresses are fake
and the attack comes actually from somewhere else?
Please let me know what you think about this situation, so that I
could have a better idea about how to improve the security of my Linux
server.
Thank you,
Christian Sava
.
- Follow-Ups:
- Re: Password scan
- From: Jim Garrison
- Re: Password scan
- From: Unruh
- Re: Password scan
- Prev by Date: Quake3 protocol
- Next by Date: Re: Password scan
- Previous by thread: Quake3 protocol
- Next by thread: Re: Password scan
- Index(es):
Loading
