-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 21/08/15 18:35, Lew Wolfgang wrote:
On 08/21/2015 08:44 AM, Greg Freemyer wrote:
On Fri, Aug 21, 2015 at 11:23 AM, Lew Wolfgang
wrote: On 08/21/2015 07:32 AM, Marco Calistri wrote:
Hello,
I'm monitoring the /var/log/messages and I noticed this kind of warning (there are many similar):
2015-08-21T11:16:05.451779-03:00 linux-turion64 kernel: [ 9894.977105] audit: type=2404 audit(1440166565.450:788): pid=4260 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=ec:a9:63:90:61:bf:ea:53:d3:1b:fa:c3:38:da:ff:cc [MD5] direction=? spid=4260 suid=0 exe="/usr/sbin/sshd" hostname=? addr=125.121.146.24 terminal=? res=success'
Have I to be worried?
I'm not familiar with that particular message, but the fact that 125.121.146.24 is in China would make me very nervous! It's also blackholed by spamhaus. Do the other warnings reference the same IP?
Are you running sshd? Are you seeing any "sshd" entries in /var/log/messages?
Regards, Lew
I'm not aware of that specific message either, but failed ssh connections from malicious IPs is so common it isn't worth mentioning.
I use fail2ban to scan my logs and look for failed SSH login attempts. On first detection it blocks that IP for some hours. Then after 3 temporary blocks it does a permanent block.
Currently I have 114 IPs in my permanent ban list. (I inadvertently wiped it out a few months back.)
I think most of the failed attempt try to login as root. I also have all root ssh access disabled.
Hi Greg,
I too see LOTS of login attempts from China on public-facing ssh servers, but in my case most are using non-root logins. I've been using blockhosts, but last year I got tired of seeing thousands of entries in the table so I entered all known China IP CIDR blocks. Now I'm down to about 100 actively blocked IP's plus about 100 "watched" IP's.
But being unfamiliar with the OP's message report and not knowing his configuration, I'd be worried and would look further.
Regards, Lew
One partial solution is to move your ssh port to a non-standard one, eg. an unused higher number port. These attacks will almost certainly be aimed at port 22. Bob - -- Bob Williams System: Linux 3.16.7-7-desktop Distro: openSUSE 13.2 (x86_64) with KDE Development Platform: 4.14.3 Uptime: 06:00am up 7:55, 3 users, load average: 0.16, 0.05, 0.06 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlXXam4ACgkQ0Sr7eZJrmU4/ewCghoLkoywCraeHnA+enAPgFSkR 0MYAn23w4vFe7F9bWJbnqIeF3xC5fI9w =tgZP -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org