Il 21/08/2015 12:44, Greg Freemyer ha scritto:
On Fri, Aug 21, 2015 at 11:23 AM, Lew Wolfgang
wrote: On 08/21/2015 07:32 AM, Marco Calistri wrote:
Hello,
I'm monitoring the /var/log/messages and I noticed this kind of warning (there are many similar):
2015-08-21T11:16:05.451779-03:00 linux-turion64 kernel: [ 9894.977105] audit: type=2404 audit(1440166565.450:788): pid=4260 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=ec:a9:63:90:61:bf:ea:53:d3:1b:fa:c3:38:da:ff:cc [MD5] direction=? spid=4260 suid=0 exe="/usr/sbin/sshd" hostname=? addr=125.121.146.24 terminal=? res=success'
Have I to be worried?
I'm not familiar with that particular message, but the fact that 125.121.146.24 is in China would make me very nervous! It's also blackholed by spamhaus. Do the other warnings reference the same IP?
Are you running sshd? Are you seeing any "sshd" entries in /var/log/messages?
Regards, Lew
I'm not aware of that specific message either, but failed ssh connections from malicious IPs is so common it isn't worth mentioning.
I use fail2ban to scan my logs and look for failed SSH login attempts. On first detection it blocks that IP for some hours. Then after 3 temporary blocks it does a permanent block.
Currently I have 114 IPs in my permanent ban list. (I inadvertently wiped it out a few months back.)
I think most of the failed attempt try to login as root. I also have all root ssh access disabled.
Greg
Greg, Interesting! This app., fail2ban is it difficult to setup? Thanks also to point out the important detail about ssh root access, I will give a check to my ssh configuration. It is most probable my laptop is being attacked from a lot of days or even months and I had not yet noticed it! Regards, -- Marco Calistri opensuse 13.2 (Harlequin) 64 bit - Kernel 4.1.5-2-desktop Gnome 3.16.2 Intel® Core™ i5-2410M CPU @ 2.30GHz × 4 - Intel® Sandybridge Mobile -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org