PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Mon Sep 16, 2019 12:12 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 14 posts ] 
Author Message
PostPosted: Fri Aug 07, 2009 8:08 am 
Offline
DevNet Resident
User avatar

Joined: Wed Jun 18, 2008 8:32 am
Posts: 1483
Location: Surrey
My secure logs have pages and pages (megs) of...

Aug 7 14:07:35 host-78-129-251-11 sshd[8330]: Connection closed by 87.117.237.68

Is this an attack attempt?


Top
 Profile  
 
PostPosted: Fri Aug 07, 2009 8:48 am 
Offline
Forum Contributor

Joined: Thu Jun 11, 2009 5:32 am
Posts: 105
Location: Essex
Check your faillog file. If someone is trying to get in via an SSH connection there should be a large number of failed login attempts, unless they already had a password of course.


Top
 Profile  
 
PostPosted: Fri Aug 07, 2009 9:10 am 
Offline
DevNet Resident
User avatar

Joined: Wed Jun 18, 2008 8:32 am
Posts: 1483
Location: Surrey
I just have '@@@@@@@@@@@@@' in my faillog? :?


Top
 Profile  
 
PostPosted: Fri Aug 07, 2009 7:06 pm 
Offline
Forum Contributor

Joined: Sun Sep 09, 2007 6:27 pm
Posts: 282
probably a ssh hack bot. Some time ago I started running my ssh on a non-standard port to get rid of the logfile clutter caused by the frequent bots hack attempts.


Top
 Profile  
 
PostPosted: Mon Aug 10, 2009 1:50 am 
Offline
DevNet Resident
User avatar

Joined: Wed Jun 18, 2008 8:32 am
Posts: 1483
Location: Surrey
Did it help?


Top
 Profile  
 
PostPosted: Mon Aug 10, 2009 2:36 am 
Offline
Forum Contributor

Joined: Sun Sep 09, 2007 6:27 pm
Posts: 282


Top
 Profile  
 
PostPosted: Mon Aug 10, 2009 4:00 am 
Offline
Forum Contributor

Joined: Thu Jun 11, 2009 5:32 am
Posts: 105
Location: Essex
faillog is a binary file and is not meant to be sent to a text viewer. If you are seeing loads of '@@@@@@@@@' then I guess you are trying to pipe it to less or use another type of text viewer to look at the file. In /var/log just type faillog , this will output the log in a readable format. If you are seeing @@@ when using a text editor, that means there are failed login attempts on your machine.


Top
 Profile  
 
PostPosted: Mon Aug 10, 2009 7:42 am 
Offline
DevNet Resident
User avatar

Joined: Wed Jun 18, 2008 8:32 am
Posts: 1483
Location: Surrey


Top
 Profile  
 
PostPosted: Mon Aug 10, 2009 9:56 am 
Offline
Forum Contributor

Joined: Thu Jun 11, 2009 5:32 am
Posts: 105
Location: Essex
Sounds good.

To be safe, try to connect via ssh and use an invalid username / password combo. Then check your faillog again to make sure the attempt is logged.

If you wish to double check, look at your auth.log, but I hope you're not squeamish! This is an example of mine

Aug 9 07:09:16 topicPlusLinux sshd[22340]: Did not receive identification string from 189.1.164.52
Aug 9 07:13:51 topicPlusLinux sshd[22341]: Invalid user mat3 from 189.1.164.52
Aug 9 07:13:51 topicPlusLinux sshd[22341]: pam_unix(sshd:auth): check pass; user unknown
Aug 9 07:13:51 topicPlusLinux sshd[22341]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=189.1.164.52

and later in the day I have one of these every three seconds, for hours! They tried untold amounts of port numbers too, so moving ports dosen't always help.

Limit the allowed users for SSH connections. One user should be enough if it's just you connecting. Use a very secure password (mine uses upper and lower case, non alphanumeric characters and is over 20 chars long). Also, double check iptables to make sure everything is locked down. Limiting connections with the use of IP addresses is best, but not always possible when connecting via a non-static IP.

Good luck mate! I'm off to email the admin for that ip address telling him to get lost!


Top
 Profile  
 
PostPosted: Mon Aug 10, 2009 11:52 pm 
Offline
DevNet Resident
User avatar

Joined: Wed Jun 18, 2008 8:32 am
Posts: 1483
Location: Surrey


Top
 Profile  
 
PostPosted: Tue Aug 11, 2009 3:49 am 
Offline
Forum Contributor

Joined: Thu Jun 11, 2009 5:32 am
Posts: 105
Location: Essex


Top
 Profile  
 
PostPosted: Fri Aug 14, 2009 8:33 am 
Offline
DevNet Master
User avatar

Joined: Wed Jun 27, 2007 9:44 am
Posts: 4313
Location: Sofia, Bulgaria

_________________
There are 10 types of people in this world, those who understand binary and those who don't


Top
 Profile  
 
PostPosted: Fri Aug 14, 2009 5:20 pm 
Offline
Forum Newbie

Joined: Fri Jul 17, 2009 1:15 am
Posts: 18
Just FYI..
I am using centos, and the falilogs are located in secure file (/var/log)

_________________
AccuWebHosting.Com - Windows VPS Hosting
ASP.NET 3.5 | SQL 2005 Database | US Based Hosting Company | 24 X 7 Support | Daily Backups | Uptime Guarantee | Affiliates - $50 Per Sale |
|


Top
 Profile  
 
PostPosted: Mon Aug 17, 2009 5:58 am 
Offline
DevNet Resident
User avatar

Joined: Wed Jun 18, 2008 8:32 am
Posts: 1483
Location: Surrey
Thanks all of you for your help.

VladSun thanks for the commands - I look forward to having a go :)


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 14 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group