Page 1 of 1
Secure log files:: possible break in attempt?
Posted: Fri Aug 07, 2009 8:08 am
by jaoudestudios
My secure logs have pages and pages (megs) of...
Aug 7 14:07:35 host-78-129-251-11 sshd[8330]: Connection closed by 87.117.237.68
Is this an attack attempt?
Re: Secure log files:: possible break in attempt?
Posted: Fri Aug 07, 2009 8:48 am
by marty pain
Check your faillog file. If someone is trying to get in via an SSH connection there should be a large number of failed login attempts, unless they already had a password of course.
Re: Secure log files:: possible break in attempt?
Posted: Fri Aug 07, 2009 9:10 am
by jaoudestudios
I just have '@@@@@@@@@@@@@' in my faillog?

Re: Secure log files:: possible break in attempt?
Posted: Fri Aug 07, 2009 7:06 pm
by Doug G
probably a ssh hack bot. Some time ago I started running my ssh on a non-standard port to get rid of the logfile clutter caused by the frequent bots hack attempts.
Re: Secure log files:: possible break in attempt?
Posted: Mon Aug 10, 2009 1:50 am
by jaoudestudios
Did it help?
Re: Secure log files:: possible break in attempt?
Posted: Mon Aug 10, 2009 2:36 am
by Doug G
jaoudestudios wrote:Did it help?
If you're asking me about changing ports, yes. I have a controlled environment where I don't need to educate users on how to configure their ssh client to use a different port, and all the breakin attempts stopped. Completely.
I did this mostly as an annoyance eliminator, it's provided a bit of additional security, but don't think just changing the ssh port will fix any other security issues with your system!
Re: Secure log files:: possible break in attempt?
Posted: Mon Aug 10, 2009 4:00 am
by marty pain
faillog is a binary file and is not meant to be sent to a text viewer. If you are seeing loads of '@@@@@@@@@' then I guess you are trying to pipe it to less or use another type of text viewer to look at the file. In /var/log just type faillog , this will output the log in a readable format. If you are seeing @@@ when using a text editor, that means there are failed login attempts on your machine.
Re: Secure log files:: possible break in attempt?
Posted: Mon Aug 10, 2009 7:42 am
by jaoudestudios
marty pain wrote:faillog is a binary file and is not meant to be sent to a text viewer. If you are seeing loads of '@@@@@@@@@' then I guess you are trying to pipe it to less or use another type of text viewer to look at the file. In /var/log just type faillog , this will output the log in a readable format. If you are seeing @@@ when using a text editor, that means there are failed login attempts on your machine.
Ah, that makes sense.
I typed 'faillog' and got nothing back - I guess that is good?
Re: Secure log files:: possible break in attempt?
Posted: Mon Aug 10, 2009 9:56 am
by marty pain
Sounds good.
To be safe, try to connect via ssh and use an invalid username / password combo. Then check your faillog again to make sure the attempt is logged.
If you wish to double check, look at your auth.log, but I hope you're not squeamish! This is an example of mine
Aug 9 07:09:16 topicPlusLinux sshd[22340]: Did not receive identification string from 189.1.164.52
Aug 9 07:13:51 topicPlusLinux sshd[22341]: Invalid user mat3 from 189.1.164.52
Aug 9 07:13:51 topicPlusLinux sshd[22341]: pam_unix(sshd:auth): check pass; user unknown
Aug 9 07:13:51 topicPlusLinux sshd[22341]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=189.1.164.52
and later in the day I have one of these every three seconds, for hours! They tried untold amounts of port numbers too, so moving ports dosen't always help.
Limit the allowed users for SSH connections. One user should be enough if it's just you connecting. Use a very secure password (mine uses upper and lower case, non alphanumeric characters and is over 20 chars long). Also, double check iptables to make sure everything is locked down. Limiting connections with the use of IP addresses is best, but not always possible when connecting via a non-static IP.
Good luck mate! I'm off to email the admin for that ip address telling him to get lost!
Re: Secure log files:: possible break in attempt?
Posted: Mon Aug 10, 2009 11:52 pm
by jaoudestudios
marty pain wrote:If you wish to double check, look at your auth.log, but I hope you're not squeamish!
I dont have a auth.log file in /var/log/
marty pain wrote:Good luck mate! I'm off to email the admin for that ip address telling him to get lost!
Good luck
Unfortunately I can not lock the IP just to mine, as I do have a dynamic IP, not that it changes much (once a year) but I cant risk it. Could I lock it down to my IP range, ie. xxx.xxx.xxx.1-256?
Re: Secure log files:: possible break in attempt?
Posted: Tue Aug 11, 2009 3:49 am
by marty pain
jaoudestudios wrote: Could I lock it down to my IP range, ie. xxx.xxx.xxx.1-256?
Probably, but I've never had to do it. look up IPTABLES and I'm sure you'll find something to help you set it up.
jaoudestudios wrote:I dont have a auth.log file in /var/log/

I think it depends on what distro you are using to what they call their log files. I don't have a secure log file, so maybe my auth.log is the same as your secure.
Re: Secure log files:: possible break in attempt?
Posted: Fri Aug 14, 2009 8:33 am
by VladSun
jaoudestudios wrote:Could I lock it down to my IP range, ie. xxx.xxx.xxx.1-256?
Code: Select all
iptables -N SSH
iptables -I INPUT -p tcp --dport 22 -j SSH
iptables -A SSH -s 192.168.0.0/24 -j RETURN
iptables -A SSH -s 192.168.2.3 -j RETURN
iptables -A SSH -s 10.0.0.0/16 -j RETURN
iptables -A SSH -j DROP
This will allow only users with IPs:
- from 192.168.0.1 to 192.168.0.254
- 192.168.2.3
- from 10.0.0.1 to 10.0.255.255
Re: Secure log files:: possible break in attempt?
Posted: Fri Aug 14, 2009 5:20 pm
by thewebhostingdir
Just FYI..
I am using centos, and the falilogs are located in secure file (/var/log)
Re: Secure log files:: possible break in attempt?
Posted: Mon Aug 17, 2009 5:58 am
by jaoudestudios
Thanks all of you for your help.
VladSun thanks for the commands - I look forward to having a go
