Mailinglist Archive: opensuse-security (228 mails)

< Previous Next >
Re: [suse-security] Question About Sys/Sec Logs
  • From: Stan Glasoe <SRGlasoe@xxxxxxxxxxx>
  • Date: Mon, 14 Mar 2005 14:30:38 -0600
  • Message-id: <200503141430.38126.SRGlasoe@xxxxxxxxxxx>
On Monday 14 March 2005 1:33 pm, Don Parris wrote:
> In my syslog (via Yast) I found the following entries:
>
> Mar 14 08:04:44 luke sshd[26285]: Invalid user test
from ::ffff:218.153.147.92
> Mar 14 08:04:45 luke kernel: SFW2-INext-ACC-TCP IN=dsl0 OUT= MAC=
SRC=218.153.147.92 DST=67.35.166.180 LEN=60 TOS=0x00 PREC=0x00 TTL=48
ID=27312 DF PROTO=TCP SPT=34740 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT
> (020405B40402080A032FB3A50000000001030300)
snip
> Mar 14 08:51:43 luke kernel: SFW2-INext-DROP-DEFLT IN=dsl0 OUT= MAC=
> SRC=12.6.153.198 DST=67.35.166.180 LEN=908 TOS=0x00 PREC=0x00 TTL=116
> ID=13705 PROTO=UDP SPT=29582 DPT=1028 LEN=888
snip
>
> It appears that someone was trying to login on my system while it was
> connected to the 'Net. My real question is whether this indicates my
> defenses are working, or should I be looking elsewhere for that
> confirmation. There is no other activity recorded until 12:46 and I have
> not noticed any problems with my system.
>
> However, I also understand that wiley crackers will attempt to make
> themselves invisible and cover their tracks. I'm not wiley enough yet to
> get the really wiley ones. ;) I'm not in a state of panic, but do feel I
> need to spend more time understanding and applying the security monitoring
> stuff. Is this where Snort would be useful? Thanks for your input.
>
> Don

The first is a probe of your port 22 for ssh looking for generic/common login
IDs. I believe its an automated bot. If one or more of those names responded
then they may be back with a password crack attempt.

Make sure you have 'PermitRootLogin no' in /etc/ssh/sshd_config.

Then consider changing from port 22 to something above 1024 and don't tell
anybody that doesn't need to know. Closing (or not having anything listening
on) port 22 eliminated those probes for me.

The last example I'm not sure about since I don't recognize that one and await
an answer from someone else on the list.

Patrick Shanahan keeps us informed of updates on suse-linux-e of -
rkhunter -1.2.1-1.noarch.rpm is available for download:
http://wahoo.no-ip.org/~pat/rkhunter-1.2.1-1.noarch.rpm
http://wahoo.no-ip.org/~pat/rkhunter-1.2.1-1.src.rpm
http://wahoo.no-ip.org/~pat/rkhunter-1.2.1.tar.gz

This can keep you informed IF a rootkit is found. Doesn't prevent them.

Stan

< Previous Next >
References