My root daily log shows at least 1-2, sometimes upto 5 different ips trying to login with weird login combinations.

I block them whenever I see them, and even did IP trace and found network information.

I don't know what to do with them. I am very new to managing dedicated server and willing to learn if someone could guide me on this issue.

Should I just block and forget or is there other methods for preventing this? Most of login attempts are by

admin/password
test/password
demo/demo

and etc.

and ips orginates from mostly US Universities.
and europe, german, france.

Thanks for helping

I get the same thing. Beyond adding the IP or the range to my IPtables I am curious as well as to what others are doing.

D

I get the EXACT same stuff...

Disable root login...
Intall portsentry

Your probably not doing any good by rejecting those IP's...probably more harm to yourself than to them...

Originally posted by Kevin Smith
I get the EXACT same stuff...

Disable root login...
Intall portsentry

Your probably not doing any good by rejecting those IP's...probably more harm to yourself than to them... I agree, rejecting IPs may seem like a good short-term solution, but do you plan on doing that forever? Before you know it you'll be blocking hundreds or thousands of addresses and it will either start causing other problems or become too cumbersome to maintain. Unless you are getting consistant attacks over time from a single IP I see no value in this practice.

As far as root login goes... that has been debated before, the consensus being there isn't much reason to disable root login if you are using SSH.

This should go without saying, but if you're serious about security, telnet should be completely disabled. Period. SSH is superior in every way, especially security.

Use a firewall to restrict access to services and ports only to those who need them. Only let things like http, pop, smtp, imap, dns, etc [the essentials] stay open to the world.

Require your users to have passwords of minimum length. complexity, number/symbol content, etc.

With a good security policy, a good firewall, and up to date patches, etc, you shouldn't have to sweat about someone trying to login with generic usernames and passwords.

I keep my security patches to update automatically and keep my passwords very long and still I got these in my logs

**Unmatched Entries**
Illegal user test from 69.59.166.236
Illegal user guest from 69.59.166.236
Illegal user user from 69.59.166.236
Illegal user test from 69.59.166.236

You helped me on another post bow-wow on how to block whole ranges and thanks again for that but what else am I supposed to do to keep my box hacker resistant. Only thing is that even after I use the iptables-save command the IP addresses I enter disappear. Oh can you or any one else tell me how to disable telnet and how I can enable root to log in via SSH. I’m getting tired of moving files around to where I can grab them with the SSH file transfer. Then having to chmod to where it will allow me to download them. I don’t like the command line very much but what else to do expect from a windows user?
:shrug:

If you don't like the command line, don't use the command line. There are plenty of 'visual' file manager tools out there, with Midnight Commander being the best over SSH ("up2date --install mc" or "apt-get install mc"). Webmin's file manager is also quite good.

As for how to permit root login, edit /etc/ssh/sshd_config and change "PermitRootLogin no" to yes. Then run "service sshd reload".

There should also be a way to make a lockdown of sorts...like 3 false logins from an IP, and that IP gets blocked for an hour...I believe portsentry can do this, though from what I read it's not a wholly clean solution.

Originally posted by GrumpyTucker
I keep my security patches to update automatically and keep my passwords very long and still I got these in my logs

**Unmatched Entries**
Illegal user test from 69.59.166.236
Illegal user guest from 69.59.166.236
Illegal user user from 69.59.166.236
Illegal user test from 69.59.166.236

You helped me on another post bow-wow on how to block whole ranges and thanks again for that but what else am I supposed to do to keep my box hacker resistant. Only thing is that even after I use the iptables-save command the IP addresses I enter disappear. Oh can you or any one else tell me how to disable telnet and how I can enable root to log in via SSH. I’m getting tired of moving files around to where I can grab them with the SSH file transfer. Then having to chmod to where it will allow me to download them. I don’t like the command line very much but what else to do expect from a windows user?
:shrug:
To disable telnet, edit /etc/xinet.d/telnet
and look for the disable option and set it to yes:

disable = yes

Save the file then restart xinetd:

/etc/init.d/xinetd restart


For ensuring persistant firewall rules I just use a script file that gets run at boot. To do that I just put the iptables commands to create the desired rules in a file and make it executable and have it started right after networking at boot time. There might be a better way to do this, I don't know-- I've never messed with iptables-save, I like my script file. This makes it easy to copy my firewall rules to another machine too.


As far as your log messages go... are you the only person who logs into your box via SSH? Do you have a static IP? If so I would use iptables to restrict access to port 22 to your IP only. If this is not your situation, it might be more difficult. You could look into adding public key auth on top off password auth for added security.

Anyway, there is no reason to freak out over those log messages. Someone was probing your box for weaknesses/vulnerabilities that's all. Lock down SSH to your IP (or to a few specific, trusted IPs) if possible and you won't have to see log entries about these probes because they wont happen. Alternatively, if you need help adding public key auth let us know.

Thanks again bow-wow. Unfortunately my geek translator broke half way down your last post when you started talking about scripts and executable’s. :oops: I got the telnet changed. I also don’t have an option on using one IP to log on to my box. I log on all over the USA at truck stop or when I connect my laptop to my cell phone. Soon this wont be the case but for now I have to be able to log on from what ever IP I may be able to use

My root daily log shows at least 1-2, sometimes upto 5 different ips trying to login with weird login combinations.

Sorry, but I am new at this. What is the name and location of the root daily log to check for this?

Thanks!

This is most likely an attempt against ssh. Older version of OpenSSH have a vulnerability they are trying to exploit.

Info here on vulnerability:
http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/24453
includes link to program

From Insecure.org a thread on it:
http://seclists.org/lists/fulldisclosure/2004/Jul/1125.html

seems originating mostly from compromised machines.

I have been seeing the same thing on my other Linux servers as well.

If you are current on your updates you should be fine.

Before blocking ranges of addresses (which is a short term answer with long term issues), I would try notifying the compromised machine owners if you can track them down.