On Sat, 2004-07-17 at 15:40, Jonathan T. Steadman wrote: > Sorry this is yet another lame question, but I am new to hosting web > server ect. just kinda experimenting actually and in my logs i came > across some garbage (its at the bottom of this email) what do you do > about this? Just let it be? inform ISP? wait and see if it is more > continuous? dont know the proper thing to do i guess just making sure > with you guys. > > Jul 17 14:42:24 localhost sshd[6746]: Illegal user test from > 130.120.81.14 > Jul 17 14:42:26 localhost sshd[6746]: Failed password for illegal user > test from 130.120.81.14 port 48692 ssh2 > Jul 17 14:42:27 localhost sshd[6748]: Illegal user guest from > 130.120.81.14 > Jul 17 14:42:30 localhost sshd[6748]: Failed password for illegal user > guest from 130.120.81.14 port 48753 ssh2 > Jul 17 14:42:31 localhost sshd[6750]: Illegal user admin from > 130.120.81.14 > Jul 17 14:42:33 localhost sshd[6750]: Failed password for illegal user > admin from 130.120.81.14 port 48807 ssh2 > Jul 17 14:42:34 localhost sshd[6752]: Illegal user admin from > 130.120.81.14 > Jul 17 14:42:37 localhost sshd[6752]: Failed password for illegal user > admin from 130.120.81.14 port 48849 ssh2 > Jul 17 14:42:38 localhost sshd[6754]: Illegal user user from > 130.120.81.14 > Jul 17 14:42:40 localhost sshd[6754]: Failed password for illegal user > user from 130.120.81.14 port 48879 ssh2 > Jul 17 14:42:43 localhost sshd[6756]: Failed password for root from > 130.120.81.14 port 48900 ssh2 > Jul 17 14:42:47 localhost sshd[6758]: Failed password for root from > 130.120.81.14 port 48913 ssh2 > Jul 17 14:42:50 localhost sshd[6760]: Failed password for root from > 130.120.81.14 port 48924 ssh2 > Jul 17 14:42:51 localhost sshd[6762]: Illegal user test from > 130.120.81.14 > Jul 17 14:42:54 localhost sshd[6762]: Failed password for illegal user > test from 130.120.81.14 port 48931 ssh2 First thing is to block that IP address (or even that entire subnet) using iptables. Second make sure root access via ssh has been disabled. (modify the /etc/ssh/sshd_confing file and comment out PermitRootLogin.) Third make sure you have good passwords on all accounts. Forth check your logs for any logins that succeeded near the time this attack occurred. If there were any try to check the history on each to see what was done. Fifth run a tripwire report if you have it installed. If you don't have it installed install it and set it up. Won't help for this instance but maybe next time it will. This is one way to try to find out if anything critical was modified or added. Sixth turn off any services not really needed and configure iptables to block everything but what is really needed. You may also want to setup snort to monitor the traffic going to your server. I believe it can be configured to alert you when something like this is occurring. And if you think the system was compromised you may want to replace it with another system while you reload everything on it from backups or from scratch. -- Scot L. Harris webid@xxxxxxxxxx That's always the way when you discover something new; everyone thinks you're crazy. -- Evelyn E. Smith
