PaulDotCom mailing list archives
Ssh break in attempt
From: arch3angel at gmail.com (Robert Miller)
Date: Thu, 11 Mar 2010 13:52:13 -0500
Hello Brett, As others have said these are extremely common, many times being run by systems the users are completely unaware of anything even going on, and I know the universities i have gone to they don't block much outbound but Paul would be a better adviser on that one. Both of the suggestions by Jody and Matt are spot on and i would follow each others. One little addition to those would be when you configure denyhosts make sure to allow the downloading of known bad IPs, along with having the system email you new denied IPs. Another thing to look into as a precautionary measure is tripwire (http://www.tripwire.com/) and make sure you have it emailing you notices as well. Here is a link to understanding log files that came across tweeter a couple days ago but serves as a great cheat sheet or reference: http://zeltser.com/log-management/security-incident-log-review-checklist.html You can also setup Nagios or Zenoss to look for failed logins or successful logins and give you a web interface to review them. If you are running a web server look into suhosin (http://www.hardened-php.net/suhosin/), phpids (http://php-ids.org/), modsecurity (http://www.modsecurity.org/), grsecurity (http://www.grsecurity.net/), and bastille (http://bastille-linux.sourceforge.net/). On the last two watch your keneral patch level, never remove your current kernel from the grub menu until you are 100% sure the grsecurity patched kernel is fully functions. If you don't pay close attention you could really hose things up and make it very hard on yourself to fix it. - Robert (arch3angel) On 3/10/2010 6:49 PM, Brett wrote:
I realized I haven't checked my logs on my new server ( bad me ). But I figured I wouldn't find anything, it's only my personal server. I checked the logs today to find thousands of login attempts. Most tried to brute my root password, though I don't have a root user. There were a bunch of user name attempts for what looked like a name dictionary attack. Some were from busness static ip's and there were even some from perdu.edu Now for my questions. What should I look for to find out if they actually got in? Parse the auth log for those ip's for a successfull login? I also run a web server on that machine, is there something I can look for to see If they got into that? Also is there any recourse I have? Or should I just let it go and harden my server even more? Sent from my iPhone _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Ssh break in attempt Brett (Mar 10)
- Ssh break in attempt Jody & Jennifer McCluggage (Mar 10)
- Ssh break in attempt Matt Erasmus (Mar 10)
- Ssh break in attempt Dimitrios Kapsalis (Mar 11)
- Ssh break in attempt Brett (Mar 11)
- Ssh break in attempt Joshua Smith (Mar 11)
- Ssh break in attempt Jody & Jennifer McCluggage (Mar 11)
- Ssh break in attempt PJ McGarvey (Mar 12)
- Ssh break in attempt Dimitrios Kapsalis (Mar 11)
- <Possible follow-ups>
- Ssh break in attempt iamnowonmai (Mar 10)