On Fri, Aug 21, 2015 at 11:23 AM, Lew Wolfgang
On 08/21/2015 07:32 AM, Marco Calistri wrote:
Hello,
I'm monitoring the /var/log/messages and I noticed this kind of warning (there are many similar):
2015-08-21T11:16:05.451779-03:00 linux-turion64 kernel: [ 9894.977105] audit: type=2404 audit(1440166565.450:788): pid=4260 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=ec:a9:63:90:61:bf:ea:53:d3:1b:fa:c3:38:da:ff:cc [MD5] direction=? spid=4260 suid=0 exe="/usr/sbin/sshd" hostname=? addr=125.121.146.24 terminal=? res=success'
Have I to be worried?
I'm not familiar with that particular message, but the fact that 125.121.146.24 is in China would make me very nervous! It's also blackholed by spamhaus. Do the other warnings reference the same IP?
Are you running sshd? Are you seeing any "sshd" entries in /var/log/messages?
Regards, Lew
I'm not aware of that specific message either, but failed ssh connections from malicious IPs is so common it isn't worth mentioning. I use fail2ban to scan my logs and look for failed SSH login attempts. On first detection it blocks that IP for some hours. Then after 3 temporary blocks it does a permanent block. Currently I have 114 IPs in my permanent ban list. (I inadvertently wiped it out a few months back.) I think most of the failed attempt try to login as root. I also have all root ssh access disabled. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org