Mailinglist Archive: opensuse-security (228 mails)

< Previous Next >
Question About Sys/Sec Logs
  • From: Don Parris <webdev@xxxxxxxxxxxxx>
  • Date: Mon, 14 Mar 2005 14:33:50 -0500
  • Message-id: <20050314143350.231c551d@xxxxxxxxxxxxxxxxxx>
In my syslog (via Yast) I found the following entries:

(020405B401010402)
Mar 14 08:04:42 luke kernel: SFW2-INext-ACC-TCP IN=dsl0 OUT= MAC=
SRC=218.153.147.92 DST=67.35.166.180 LEN=60 TOS=0x00 PREC=0x00 TTL=48
ID=41916 DF PROTO=TCP SPT=34654 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT
(020405B40402080A032FB2830000000001030300) Mar 14 08:04:44 luke sshd[26285]:
Invalid user test from ::ffff:218.153.147.92 Mar 14 08:04:45 luke kernel:
SFW2-INext-ACC-TCP IN=dsl0 OUT= MAC= SRC=218.153.147.92 DST=67.35.166.180
LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=27312 DF PROTO=TCP SPT=34740 DPT=22
WINDOW=5840 RES=0x00 SYN URGP=0 OPT
(020405B40402080A032FB3A50000000001030300) Mar 14 08:04:46 luke sshd[26287]:
Invalid user guest from ::ffff:218.153.147.92 Mar 14 08:04:47 luke kernel:
SFW2-INext-ACC-TCP IN=dsl0 OUT= MAC= SRC=218.153.147.92 DST=67.35.166.180
LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=61758 DF PROTO=TCP SPT=34796 DPT=22
WINDOW=5840 RES=0x00 SYN URGP=0 OPT
(020405B40402080A032FB47A0000000001030300) Mar 14 08:04:49 luke sshd[26289]:
Invalid user admin from ::ffff:218.153.147.92 Mar 14 08:04:49 luke kernel:
SFW2-INext-ACC-TCP IN=dsl0 OUT= MAC= SRC=218.153.147.92 DST=67.35.166.180
LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=34621 DF PROTO=TCP SPT=34842 DPT=22
WINDOW=5840 RES=0x00 SYN URGP=0 OPT
(020405B40402080A032FB54B0000000001030300) Mar 14 08:04:51 luke sshd[26291]:
Invalid user admin from ::ffff:218.153.147.92 Mar 14 08:04:51 luke kernel:
SFW2-INext-ACC-TCP IN=dsl0 OUT= MAC= SRC=218.153.147.92 DST=67.35.166.180
LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=17521 DF PROTO=TCP SPT=34909 DPT=22
WINDOW=5840 RES=0x00 SYN URGP=0 OPT
(020405B40402080A032FB61C0000000001030300) Mar 14 08:04:53 luke sshd[26293]:
Invalid user user from ::ffff:218.153.147.92 Mar 14 08:05:01 luke
sshd[26301]: Invalid user test from ::ffff:218.153.147.92 Mar 14 08:08:20
luke kernel: SFW2-INext-DROP-DEFLT IN=dsl0 OUT= MAC= SRC=219.128.154.132
DST=67.35.166.180 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=40245 DF PROTO=TCP
SPT=3984 DPT=9898 WINDOW=65044 RES=0x00 SYN URGP=0 OPT (0204058601010402)
Mar 14 08:19:59 luke kernel: SFW2-INext-DROP-DEFLT IN=dsl0 OUT= MAC=
SRC=218.83.155.77 DST=67.35.166.180 LEN=364 TOS=0x00 PREC=0x00 TTL=51 ID=0
DF PROTO=UDP SPT=49964 DPT=1026 LEN=344 Mar 14 08:41:56 luke kernel:
SFW2-INext-DROP-DEFLT IN=dsl0 OUT= MAC= SRC=222.88.173.5 DST=67.35.166.180
LEN=681 TOS=0x00 PREC=0x00 TTL=111 ID=62714 PROTO=UDP SPT=17219 DPT=1026
LEN=661 Mar 14 08:51:43 luke kernel: SFW2-INext-DROP-DEFLT IN=dsl0 OUT= MAC=
SRC=12.6.153.198 DST=67.35.166.180 LEN=908 TOS=0x00 PREC=0x00 TTL=116
ID=13705 PROTO=UDP SPT=29582 DPT=1028 LEN=888


It appears that someone was trying to login on my system while it was
connected to the 'Net. My real question is whether this indicates my
defenses are working, or should I be looking elsewhere for that
confirmation. There is no other activity recorded until 12:46 and I have
not noticed any problems with my system.

However, I also understand that wiley crackers will attempt to make
themselves invisible and cover their tracks. I'm not wiley enough yet to
get the really wiley ones. ;) I'm not in a state of panic, but do feel I
need to spend more time understanding and applying the security monitoring
stuff. Is this where Snort would be useful? Thanks for your input.

Don
--
evangelinux GNU Evangelist
http://matheteuo.org/ http://chaddb.sourceforge.net/
"Free software is like God's love - you can share it with anyone anytime
anywhere."

< Previous Next >