Il 21/08/2015 12:38, Vojtěch Zeisek ha scritto:
Dne Pá 21. srpna 2015 08:23:57, Lew Wolfgang napsal(a):
On 08/21/2015 07:32 AM, Marco Calistri wrote:
Hello,
I'm monitoring the /var/log/messages and I noticed this kind of warning (there are many similar):
2015-08-21T11:16:05.451779-03:00 linux-turion64 kernel: [ 9894.977105] audit: type=2404 audit(1440166565.450:788): pid=4260 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=ec:a9:63:90:61:bf:ea:53:d3:1b:fa:c3:38:da:ff:cc [MD5] direction=? spid=4260 suid=0 exe="/usr/sbin/sshd" hostname=? addr=125.121.146.24 terminal=? res=success'
Have I to be worried?
I'm not familiar with that particular message, but the fact that 125.121.146.24 is in China would make me very nervous! It's also blackholed by spamhaus. Do the other warnings reference the same IP?
I run on server denyhosts and fail2ban blocking attempts again SSH for tens of hours or days. Every day server blocks at least 10 IPs, mainly from China, Russia and South America... There are also packages logwatch and logwarn helping You to trace those probes. It reports also attacks/probing against Apache/CMS (like Drupal) and so on. Sincerely, Vojtěch
Thanks! -- Marco Calistri opensuse 13.2 (Harlequin) 64 bit - Kernel 4.1.5-2-desktop Gnome 3.16.2 Intel® Core™ i5-2410M CPU @ 2.30GHz × 4 - Intel® Sandybridge Mobile -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org