 |
 |
Is this an example of someone trying something evil?
|
|
|
|
|
Junior Member
Join Date: Sep 2005
Location: J a p a n
Status:
Offline
|
|
Was going through my system.log this morning and found this:
Code:
Nov 11 05:16:39 G3 sshd[20869]: Illegal user webadmin from 200.4.128.2
Nov 11 05:16:40 G3 xinetd[340]: service ssh, IPV6_ADDRFORM setsockopt() failed: Protocol not available (errno = 42)
Nov 11 05:16:40 G3 xinetd[340]: START: ssh pid=20876 from=200.4.128.2
Nov 11 05:16:43 G3 sshd[20876]: Illegal user ftp from 200.4.128.2
Nov 11 05:16:44 G3 xinetd[340]: service ssh, IPV6_ADDRFORM setsockopt() failed: Protocol not available (errno = 42)
Nov 11 05:16:44 G3 xinetd[340]: START: ssh pid=20880 from=200.4.128.2
Nov 11 05:16:47 G3 sshd[20880]: Illegal user test from 200.4.128.2
Nov 11 05:16:48 G3 xinetd[340]: service ssh, IPV6_ADDRFORM setsockopt() failed: Protocol not available (errno = 42)
Nov 11 05:16:48 G3 xinetd[340]: START: ssh pid=20882 from=200.4.128.2
Nov 11 05:16:52 G3 sshd[20882]: Failed password for root from 200.4.128.2 port 1072 ssh2
Nov 11 05:16:53 G3 xinetd[340]: service ssh, IPV6_ADDRFORM setsockopt() failed: Protocol not available (errno = 42)
Nov 11 05:16:53 G3 xinetd[340]: START: ssh pid=20884 from=200.4.128.2
Nov 11 05:16:57 G3 sshd[20884]: Illegal user admin from 200.4.128.2
Nov 11 05:16:58 G3 xinetd[340]: service ssh, IPV6_ADDRFORM setsockopt() failed: Protocol not available (errno = 42)
Nov 11 05:16:58 G3 xinetd[340]: START: ssh pid=20886 from=200.4.128.2
Nov 11 05:17:03 G3 sshd[20886]: Illegal user guest from 200.4.128.2
Nov 11 05:17:04 G3 xinetd[340]: service ssh, IPV6_ADDRFORM setsockopt() failed: Protocol not available (errno = 42)
Nov 11 05:17:04 G3 xinetd[340]: START: ssh pid=20888 from=200.4.128.2
Nov 11 05:17:08 G3 sshd[20888]: Illegal user master from 200.4.128.2
Nov 11 05:17:10 G3 xinetd[340]: service ssh, IPV6_ADDRFORM setsockopt() failed: Protocol not available (errno = 42)
Nov 11 05:17:10 G3 xinetd[340]: START: ssh pid=20890 from=200.4.128.2
Nov 11 05:17:13 G3 sshd[20890]: Illegal user apache from 200.4.128.2
Nov 11 05:17:14 G3 xinetd[340]: service ssh, IPV6_ADDRFORM setsockopt() failed: Protocol not available (errno = 42)
Nov 11 05:17:14 G3 xinetd[340]: START: ssh pid=20892 from=200.4.128.2
Nov 11 05:17:19 G3 sshd[20892]: Failed password for root from 200.4.128.2 port 4632 ssh2
Nov 11 05:17:20 G3 xinetd[340]: service ssh, IPV6_ADDRFORM setsockopt() failed: Protocol not available (errno = 42)
Nov 11 05:17:20 G3 xinetd[340]: START: ssh pid=20894 from=200.4.128.2
Nov 11 05:17:24 G3 sshd[20894]: Failed password for root from 200.4.128.2 port 6116 ssh2
I did a traceroute on the IP 200.4.128.2 (weird address) and I got:
Code:
traceroute to 200.4.128.2 (200.4.128.2), 64 hops max, 40 byte packets
1 * * *
2 sbymlsw101.v4.kddi.ne.jp (211.134.169.225) 253.935 ms 320.365 ms 267.188 ms
3 sbycbb202.kddnet.ad.jp (211.134.169.19) 489.681 ms 740.360 ms 255.425 ms
4 otejbb202.kddnet.ad.jp (203.181.99.57) 305.649 ms 302.298 ms 277.838 ms
5 otecbb104.kddnet.ad.jp (203.181.96.133) 535.119 ms 254.278 ms 577.908 ms
6 gsr-la2.kddnet.ad.jp (203.181.100.38) 410.023 ms 363.814 ms 803.975 ms
7 tr-la4.kddnet.ad.jp (59.128.2.38) 392.718 ms 405.375 ms 367.367 ms
8 so4-0-2-155m.ar3.lax1.gblx.net (208.50.13.17) 731.087 ms 401.253 ms 379.623 ms
9 so0-0-0-2488m.ar2.dal1.gblx.net (67.17.70.238) 650.871 ms 416.789 ms 387.633 ms
10 telmex-usa.ge-5-0-0.ar2.dal1.gblx.net (64.215.185.38) 617.070 ms 546.732 ms 415.977 ms
11 bb-mex-vallejo-10-pos0-0.uninet.net.mx (200.38.193.125) 705.965 ms 513.643 ms 480.277 ms
12 inet-gro-hidalgo-1-pos1-1-0.uninet.net.mx (200.38.193.117) 697.246 ms 510.843 ms 611.993 ms
13 universidad-autonoma-de-chilpancingo-e1-0004-0667.uninet.net.mx (148.223.181.85) 543.231 ms 509.777 ms 599.416 ms
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
(
Last edited by Xserve@home; Nov 10, 2005 at 07:32 PM.
)
|
|
|
| |
|
|
|
|
|
|
|
Junior Member
Join Date: Mar 2003
Location: Walnut Creek, CA
Status:
Offline
|
|
Trying, and failing, yes.
|
|
I bring order to chaos. You are in chaos windows, you are the contradiction, a bug wishing to be an OS.
|
| |
|
|
|
|
|
|
|
Junior Member
Join Date: Sep 2005
Location: J a p a n
Status:
Offline
|
|
Bastard!! Anything I can do? Guess not, but I should be happy that they couldn't get in, yes?
|
|
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Sep 2001
Location: Chico, CA and Carlsbad, CA.
Status:
Offline
|
|
Yep, either someone using some tool to bruteforce logins or some owned machine somewhere that is being used as an attack vector. As long as your passwords are strong and your usernames are not generic like "scott" or "web", you'll be fine.
Originally posted by Xserve@home
Bastard!! Anything I can do?
Sure. Add a line like
Code:
AllowUsers theman xserve geeyoueye
to /etc/sshd_config to make sure only users theman, xserve, and geeyoueye are allowed to log in. I disable passwords entirely on my server, but for some admins that's not very convenient.
|
"In Nomine Patris, Et Fili, Et Spiritus Sancti"
|
| |
|
|
|
|
|
|
|
Junior Member
Join Date: Sep 2005
Location: J a p a n
Status:
Offline
|
|
I'm going to change my passwords just to be on the safe side.
AND add that line to my ssh_config file. THANKS!! 
I don't have anything of worth on that server, but I still don't want anyone breaking into it.
I'm going to check out log analyzers, too.
|
|
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Sep 2001
Location: Chico, CA and Carlsbad, CA.
Status:
Offline
|
|
Originally Posted by Xserve@home
I'm going to change my passwords just to be on the safe side.
AND add that line to my ssh_config file. THANKS!!
One note, it's sshd_config! I don't know if it was a typo or not, but I'd rather just tell you so you don't come back wondering why adding that line to "ssh_config" didn't do anything.
|
"In Nomine Patris, Et Fili, Et Spiritus Sancti"
|
| |
|
|
|
|
|
|
|
Junior Member
Join Date: Sep 2005
Location: J a p a n
Status:
Offline
|
|
Thanks for clearing that up. I added that line to my sshd_config file. Logins have a bit of a pause now, which I'm guessing is that extra line I put in doing its job. 
|
|
|
| |
|
|
|
|
|
|
|
Junior Member
Join Date: Sep 2005
Location: J a p a n
Status:
Offline
|
|
What does this mean?
Code:
Nov 11 08:04:26 G3 sshd[22846]: reverse mapping checking getaddrinfo for IP address failed - POSSIBLE BREAKIN ATTEMPT!
Where IP address is my IP from work
|
|
|
| |
|
|
|
|
|
|
|
Grizzled Veteran
Join Date: Apr 2002
Location: california
Status:
Offline
|
|
When an SSH client connects to an SSH server, the server does some sanity checks. Among other things, the server does a reverse DNS lookup (getting a name from an IP) of the client's IP, then a regular lookup (IP from name) of the resulting name. If they don't match, the SSH server logs a message like that because there might be something evil going on. In your case, if you know you initiated the connection, there's nothing to worry about.
Incidentally, the client does similar checks on the server and you may get a similar message from the SSH client when connecting to a server whose DNS and reverse DNS don't match up.
|
|
|
| |
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: Jul 2004
Location: Ontario, Canada
Status:
Offline
|
|
When my home Linux server was constantly being pounded by these sort of ssh connection attempts, I did two things:
1. disable keyboard authentication for ssh - use keys - no key, no connect.
2. run ssh on a different-than-default port - I run my sshd on port 2222. I haven't had a connection attempt that wasn't mine since.
|
|
|
| |
|
|
|
|
|
|
|
Junior Member
Join Date: Sep 2005
Location: J a p a n
Status:
Offline
|
|
Thanks! I just changed my sshd port, too.
Yesterday I got this:
Code:
Nov 11 16:14:24 G3 sshd[28529]: Failed password for root from 219.149.13.154 port 50136 ssh2
Nov 11 16:14:30 G3 sshd[28531]: Failed password for root from 219.149.13.154 port 50186 ssh2
Nov 11 16:14:33 G3 sshd[28533]: Failed password for root from 219.149.13.154 port 50296 ssh2
Nov 11 16:14:39 G3 sshd[28535]: Failed password for root from 219.149.13.154 port 50371 ssh2
Nov 11 16:14:44 G3 sshd[28537]: Failed password for root from 219.149.13.154 port 50434 ssh2
Nov 11 16:14:48 G3 sshd[28539]: Failed password for root from 219.149.13.154 port 50506 ssh2
Nov 11 16:14:52 G3 sshd[28541]: Failed password for root from 219.149.13.154 port 50570 ssh2
Nov 11 16:17:16 G3 sshd[28457]: error: BSM audit: solaris_audit_record failed to write "sshd logout " record: Operation not supported
Nov 11 16:38:14 G3 sshd[28790]: Did not receive identification string from 24.34.202.236
Nov 11 16:41:06 G3 sshd[28836]: Failed password for root from 24.34.202.236 port 35587 ssh2
Nov 11 16:41:08 G3 sshd[28838]: Illegal user test from 24.34.202.236
Nov 11 16:41:11 G3 sshd[28840]: Illegal user test from 24.34.202.236
Nov 11 16:41:14 G3 sshd[28842]: Illegal user test from 24.34.202.236
Nov 11 16:41:16 G3 sshd[28844]: Illegal user test from 24.34.202.236
Nov 11 16:41:19 G3 sshd[28846]: Illegal user guest from 24.34.202.236
Nov 11 16:41:21 G3 sshd[28848]: Failed password for nobody from 24.34.202.236 port 35616 ssh2
Nov 11 16:41:25 G3 sshd[28850]: Illegal user apache from 24.34.202.236
Nov 11 16:41:27 G3 sshd[28852]: Illegal user prova from 24.34.202.236
Nov 11 16:41:30 G3 sshd[28854]: Illegal user prueba from 24.34.202.236
Nov 11 16:41:33 G3 sshd[28856]: Illegal user proba from 24.34.202.236
Nov 11 16:41:35 G3 sshd[28858]: Illegal user try from 24.34.202.236
Nov 11 16:41:38 G3 sshd[28860]: Illegal user new from 24.34.202.236
Nov 11 16:41:40 G3 sshd[28865]: Failed password for www from 24.34.202.236 port 35650 ssh2
Nov 11 16:41:43 G3 sshd[28870]: Illegal user wap from 24.34.202.236
Nov 11 16:41:45 G3 sshd[28873]: Illegal user web from 24.34.202.236
Nov 11 16:41:49 G3 sshd[28875]: Illegal user info from 24.34.202.236
Nov 11 16:41:52 G3 sshd[28877]: Illegal user install from 24.34.202.236
Nov 11 16:41:58 G3 sshd[28879]: Illegal user register from 24.34.202.236
Nov 11 16:42:01 G3 sshd[28881]: Illegal user history from 24.34.202.236
Nov 11 16:42:04 G3 sshd[28883]: Illegal user play from 24.34.202.236
Nov 11 16:42:06 G3 sshd[28885]: Illegal user playboy from 24.34.202.236
Nov 11 16:42:09 G3 sshd[28887]: Illegal user hotmail from 24.34.202.236
Nov 11 16:42:12 G3 sshd[28889]: Illegal user mail from 24.34.202.236
Nov 11 16:42:14 G3 sshd[28891]: Illegal user hotline from 24.34.202.236
Nov 11 16:42:26 G3 sshd[28893]: Did not receive identification string from 24.34.202.236
If anyone wants to do something nasty to those IPs, be my guest!!
|
|
|
| |
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
Originally Posted by Xserve@home
Thanks! I just changed my sshd port, too.
Did you restart your SSH daemon after changing the port in sshd_config (not ssh_config)?
|
|
|
| |
|
|
|
|
|
|
|
Junior Member
Join Date: Sep 2005
Location: J a p a n
Status:
Offline
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
Originally Posted by Xserve@home
Ahhh... well, you need to:
ssh [email protected] -p port_number
otherwise, SSH will default to port 22.
|
|
|
| |
|
|
|
|
|
|
|
Junior Member
Join Date: Sep 2005
Location: J a p a n
Status:
Offline
|
|
That's what I'm doing
Sorry, the " " was meant to "yay, no one else can get in now"
|
|
|
| |
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: Apr 2003
Location: manticore or people's republic of haven
Status:
Offline
|
|
Originally Posted by [APi]TheMan
Yep, either someone using some tool to bruteforce logins or some owned machine somewhere that is being used as an attack vector. As long as your passwords are strong and your usernames are not generic like "scott" or "web", you'll be fine.Sure. Add a line like
Code:
AllowUsers theman xserve geeyoueye
to /etc/sshd_config to make sure only users theman, xserve, and geeyoueye are allowed to log in. I disable passwords entirely on my server, but for some admins that's not very convenient.
by disabling passwords then you can't get in for maintenance either though, right? or am i missing something vital in that statement?
|
|
some people are like slinkys: they don't do much, but are fun to push down stairs.
|
| |
|
|
|
|
|
|
|
Grizzled Veteran
Join Date: Apr 2002
Location: california
Status:
Offline
|
|
Originally Posted by zanyterp
by disabling passwords then you can't get in for maintenance either though, right? or am i missing something vital in that statement?
"Disabling passwords" in the context of an SSH configuration usually means requiring public/priv ate key authentication as opposed to one of the methods of password authentication.
|
|
|
| |
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: Apr 2003
Location: manticore or people's republic of haven
Status:
Offline
|
|
by disabling passwords, you then require something like a cert to be presented for the authentication to take place and allow access? if that is correct, where are the certs stored and are self-signed/generated (using openSSL or another similar utility from the command line) allowed?
|
|
some people are like slinkys: they don't do much, but are fun to push down stairs.
|
| |
|
|
|
|
|
|
|
Grizzled Veteran
Join Date: Apr 2002
Location: california
Status:
Offline
|
|
Originally Posted by zanyterp
by disabling passwords, you then require something like a cert to be presented for the authentication to take place and allow access? if that is correct, where are the certs stored and are self-signed/generated (using openSSL or another similar utility from the command line) allowed?
The public/private key pairs are generated by ssh-keygen and stored in ~/.ssh. (There is also an option to use host keys as opposed to user keys, these go in /etc somewhere, I don't have any experience using them.)
To set up normal user based SSH key authentication, here's what to do:
- Make sure PubkeyAuthentication and RSAAuthentication are not turned off in the /etc/sshd_config of the target machine (the one you want to ssh into). (The default is to allow these, so if there is no mention of them, you're OK.) Check 'man sshd_config' for more about these.
- On the machine you are going to ssh from, do [FONT="Courier New"]ssh-keygen -t rsa[/FONT]. You can give it a password (handy if you're afraid the client machine might be compromised) but you don't have to.
- Copy ~/.ssh/id_rsa.pub from the client machine to the target server.
- On the target machine, do [FONT="Courier New"]cat id_rsa.pub >> ~/.ssh/authorized_keys[/FONT]. Make sure the permissions on authorized_keys are 600 (ie, not group or world accessible).
- Try to ssh from the client machine to the target. You should not be prompted for a password, unless you set a password on your private key during the ssh-keygen step.
- If that worked and you're feeling confident, you can disable password authentication on the target machine if you want. Set PasswordAuthentication and ChallengeResponseAuthentication to no in /etc/sshd_config.
- You can remove the temporary id_rsa.pub from the target machine now.
|
|
|
| |
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: Jul 2004
Location: Ontario, Canada
Status:
Offline
|
|
Originally Posted by zanyterp
if that is correct, where are the certs stored and are self-signed/generated (using openSSL or another similar utility from the command line) allowed?
Typically you'd use a DSA/RSA key. The client needs it's own key, which is added to the server's $HOME/.ssh/authorized_keys2 file. There are many docs online that cover how to configure this.
|
|
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Sep 2001
Location: Chico, CA and Carlsbad, CA.
Status:
Offline
|
|
Originally Posted by zanyterp
by disabling passwords then you can't get in for maintenance either though, right? or am i missing something vital in that statement?
What those guys said.
|
"In Nomine Patris, Et Fili, Et Spiritus Sancti"
|
| |
|
|
|
|
|
|
|
Grizzled Veteran
Join Date: Oct 2001
Location: Australia
Status:
Offline
|
|
without having to start another thread can someone tell me what the following means.
06 00:59:45.872 iTunes[1750] *** _NSAutoreleaseNoPool(): Object 0x7647b20 of class NSCFString autoreleased with no pool in place - just leaking
2005-12-06 00:59:45.872 iTunes[1750] *** _NSAutoreleaseNoPool(): Object 0x7647b40 of class NSCFString autoreleased with no pool in place - just leaking
2005-12-06 00:59:45.872 iTunes[1750] *** _NSAutoreleaseNoPool(): Object 0x7647b70 of class NSCFString autoreleased with no pool in place - just leaking
2005-12-06 00:59:45.872 iTunes[1750] *** _NSAutoreleaseNoPool(): Object 0x7647ba0 of class NSCFString autoreleased with no pool in place - just leaking
2005-12-06 00:59:45.872 iTunes[1750] *** _NSAutoreleaseNoPool(): Object 0x7647bd0 of class NSCFString autoreleased with no pool in place - just leaking
2005-12-06 00:59:45.872 iTunes[1750] *** _NSAutoreleaseNoPool(): Object 0x7647c00 of class NSCFString autoreleased with no pool in place - just leaking
2005-12-06 00:59:45.873 iTunes[1750] *** _NSAutoreleaseNoPool(): Object 0x7647c20 of class NSCFString autoreleased with no pool in place - just leaking
2005-12-06 00:59:45.873 iTunes[1750] *** _NSAutoreleaseNoPool(): Object 0x7647c40 of class NSCFString autoreleased with no pool in place - just leaking
2005-12-06 00:59:45.873 iTunes[1750] *** _NSAutoreleaseNoPool(): Object 0x7647c70 of class NSCFString autoreleased with no pool in place - just leaking
2005-12-06 00:59:45.873 iTunes[1750] *** _NSAutoreleaseNoPool(): Object 0x7647ca0 of class NSCFString autoreleased with no pool in place - just leaking
2005-12-06 00:59:45.873 iTunes[1750] *** _NSAutoreleaseNoPool(): Object 0x7647cd0 of class NSCFString autoreleased with no pool in place - just leaking
2005-12-06 00:59:45.873 iTunes[1750] *** _NSAutoreleaseNoPool(): Object 0x7647d00 of class NSCFString autoreleased with no pool in place - just leaking
and
/Applications/Windows Media Player/Windows Media Player.app/Contents/MacOS/WindowsMediaPlayer: *** Warning: ATSUMeasureText has been deprecated. Use ATSUGetUnjustifiedBounds instead. ***
Dec 12 01:22:09 Miguel-Munozs-Computer /Applications/Windows Media Player/Windows Media Player.app/Contents/MacOS/WindowsMediaPlayer: *** Warning: ATSUMeasureText has been deprecated. Use ATSUGetUnjustifiedBounds instead. ***
Dec 12 01:22:55 Miguel-Munozs-Computer /Applications/Windows Media Player/Windows Media Player.app/Contents/MacOS/WindowsMediaPlayer: *** Warning: ATSUMeasureText has been deprecated. Use ATSUGetUnjustifiedBounds instead. ***
Dec 12 01:24:01 Miguel-Munozs-Computer /Applications/Windows Media Player/Windows Media Player.app/Contents/MacOS/WindowsMediaPlayer: *** Warning: ATSUMeasureText has been deprecated. Use ATSUGetUnjustifiedBounds instead. ***
and
-1: DNSServiceRegister("iTunes_Ctrl_52870883FFF1FBD3", "_dacp._tcp.", "local.", 3689) failed: Client id -1 invalid (-65549)
Is this data meant to mean anything?Is there a book that i can buy or something which will help me understand what this stuff is.
|
|
Apple an innovator in a world of Immitators.
And thats the bottom line!!!!!!!!!
|
| |
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
All sorts of debug information is logged and is spewed to the Console by all sorts of apps. Do you have a particular concern with these particular errors?
|
|
|
| |
|
|
|
|
|
|
|
Grizzled Veteran
Join Date: Oct 2001
Location: Australia
Status:
Offline
|
|
Originally Posted by besson3c
All sorts of debug information is logged and is spewed to the Console by all sorts of apps. Do you have a particular concern with these particular errors?
kinda.I guess i want to know what they mean.I had similar stuff a while ago when the machine was at snails pace and i did not know what to do.
|
|
Apple an innovator in a world of Immitators.
And thats the bottom line!!!!!!!!!
|
| |
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Dec 2005
Status:
Offline
|
|
Originally Posted by Rob van dam
without having to start another thread can someone tell me what the following means.
06 00:59:45.872 iTunes[1750] *** _NSAutoreleaseNoPool(): Object 0x7647b20 of class NSCFString autoreleased with no pool in place - just leaking
.........
and
/Applications/Windows Media Player/Windows Media Player.app/Contents/MacOS/WindowsMediaPlayer: *** Warning: ATSUMeasureText has been deprecated. Use ATSUGetUnjustifiedBounds instead. ***
........
Is this data meant to mean anything?Is there a book that i can buy or something which will help me understand what this stuff is.
NSAutoReleasePool and NSCFString (and lots of other things that start with NS) are Objective C classes, and those messages are errors from the frameworks. In other words, what you're seeing is simply the result of some programming mistakes and/or little bugs with the code in the specified program. If your app is running and not causing your mac to burst into flames, then don't worry about it- shouldn't affect network security. It's just Objective C saying 'Hey, this code isn't quite right'.
I didn't read too much of what you posted, but be aware that the 'leaking' warning could be bad. It means memory is possibly not being handled appropriately. Your computer will run sluggishly because of this if you leave these apps running for a long time without quitting them. If you quit your apps when you're not using them (the ones reporting the leaks, at least), the system will free up any leaked memory. Leaking can, over time, potentially lead to crashes. Just make sure you're quitting iTunes when you're done listening to your music.
Same goes for Windows Media Player- you're seeing a warning from the system that the program is using programming calls that aren't being officially supported anymore. Which isn't a huge deal, really.
These are mostly things for the programmers to see and (hopefully) correct.
|
|
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Oct 2004
Location: Downtown Austin, TX
Status:
Offline
|
|
Originally Posted by Xserve@home
Thanks! I just changed my sshd port, too.
Yesterday I got this:
Code:
Nov 11 16:14:24 G3 sshd[28529]: Failed password for root from 219.149.13.154 port 50136 ssh2
Nov 11 16:14:30 G3 sshd[28531]: Failed password for root from 219.149.13.154 port 50186 ssh2
Nov 11 16:14:33 G3 sshd[28533]: Failed password for root from 219.149.13.154 port 50296 ssh2
Nov 11 16:14:39 G3 sshd[28535]: Failed password for root from 219.149.13.154 port 50371 ssh2
Nov 11 16:14:44 G3 sshd[28537]: Failed password for root from 219.149.13.154 port 50434 ssh2
Nov 11 16:14:48 G3 sshd[28539]: Failed password for root from 219.149.13.154 port 50506 ssh2
Nov 11 16:14:52 G3 sshd[28541]: Failed password for root from 219.149.13.154 port 50570 ssh2
Nov 11 16:17:16 G3 sshd[28457]: error: BSM audit: solaris_audit_record failed to write "sshd logout " record: Operation not supported
Nov 11 16:38:14 G3 sshd[28790]: Did not receive identification string from 24.34.202.236
Nov 11 16:41:06 G3 sshd[28836]: Failed password for root from 24.34.202.236 port 35587 ssh2
Nov 11 16:41:08 G3 sshd[28838]: Illegal user test from 24.34.202.236
Nov 11 16:41:11 G3 sshd[28840]: Illegal user test from 24.34.202.236
Nov 11 16:41:14 G3 sshd[28842]: Illegal user test from 24.34.202.236
Nov 11 16:41:16 G3 sshd[28844]: Illegal user test from 24.34.202.236
Nov 11 16:41:19 G3 sshd[28846]: Illegal user guest from 24.34.202.236
Nov 11 16:41:21 G3 sshd[28848]: Failed password for nobody from 24.34.202.236 port 35616 ssh2
Nov 11 16:41:25 G3 sshd[28850]: Illegal user apache from 24.34.202.236
Nov 11 16:41:27 G3 sshd[28852]: Illegal user prova from 24.34.202.236
Nov 11 16:41:30 G3 sshd[28854]: Illegal user prueba from 24.34.202.236
Nov 11 16:41:33 G3 sshd[28856]: Illegal user proba from 24.34.202.236
Nov 11 16:41:35 G3 sshd[28858]: Illegal user try from 24.34.202.236
Nov 11 16:41:38 G3 sshd[28860]: Illegal user new from 24.34.202.236
Nov 11 16:41:40 G3 sshd[28865]: Failed password for www from 24.34.202.236 port 35650 ssh2
Nov 11 16:41:43 G3 sshd[28870]: Illegal user wap from 24.34.202.236
Nov 11 16:41:45 G3 sshd[28873]: Illegal user web from 24.34.202.236
Nov 11 16:41:49 G3 sshd[28875]: Illegal user info from 24.34.202.236
Nov 11 16:41:52 G3 sshd[28877]: Illegal user install from 24.34.202.236
Nov 11 16:41:58 G3 sshd[28879]: Illegal user register from 24.34.202.236
Nov 11 16:42:01 G3 sshd[28881]: Illegal user history from 24.34.202.236
Nov 11 16:42:04 G3 sshd[28883]: Illegal user play from 24.34.202.236
Nov 11 16:42:06 G3 sshd[28885]: Illegal user playboy from 24.34.202.236
Nov 11 16:42:09 G3 sshd[28887]: Illegal user hotmail from 24.34.202.236
Nov 11 16:42:12 G3 sshd[28889]: Illegal user mail from 24.34.202.236
Nov 11 16:42:14 G3 sshd[28891]: Illegal user hotline from 24.34.202.236
Nov 11 16:42:26 G3 sshd[28893]: Did not receive identification string from 24.34.202.236
If anyone wants to do something nasty to those IPs, be my guest!!
If you look carefully, those connection attempts are 3-10 seconds apart. SSH will pause between invalid login attempts, so my guess is that it's just a brute forcer scanning the Internet. If you have a dynamic IP address, I'd suggest trying to change it by power cycling / resetting your cable/dsl modem a few times. If that doesn't do it, simply contact your ISP and ask them to change your IP address. This should reveal whether the attacker is targeting you specifically or just scanning a range of IPs.
The only other way he/she can discover your new IP address is to determine it from a web site login. For example, say you signed up with a unique username and password at www.wooha.com. When you signed up, it related your username to your IP, and if you repeatedly login after you're IP has changed, then the attacker can probably deduce the new IP of your machine.
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
 
|
|
|
Forum Rules
|
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|
Top