Menu
▾
▴
Re: [webmin-l] Understanding daily "LogWatch"?
|
From: Vern <ve...@cw...> - 2005-09-18 23:38:08
|
These are attempted hacks (logon failures) into your box. Many are create= d by=20 dictionary password crack programs that are used to attempt to figure out= user name=20 and passwords on your box. I used to get these and figured the best thing= to do is to=20 block the ssh port (tcp port 22) and only allow specific IP addresses, th= at I specify,=20 access to that port.=20 ---------- Original Message -----------=20 From: "pr...@pr..." <pr...@pr...>=20 To: web...@li...=20 Sent: Sun, 18 Sep 2005 16:22:56 -0700=20 Subject: [webmin-l] Understanding daily "LogWatch"? > From: Prodos (Melbourne, Australia)=20 >=20 > Good morning.=20 >=20 > I receive a daily email from my WEBMIN server=20 > called "LogWatch for prodos"=20 >=20 > It starts off like this ....=20 >=20 > - - -=20 > ################### LogWatch 4.3.2 (02/18/03) ####################=20 > =A0 =A0 =A0Processing Initiated: Mon Sep 19 04:02:04 2005=20 > =A0 =A0 =A0Date Range Processed: yesterday=20 > =A0 =A0Detail Level of Output: 0=20 > =A0 =A0 =A0 =A0 Logfiles for Host: prodos=20 > ################################################################=20 > - - -=20 >=20 > ... and then lists all sorts of things, such as this ....=20 >=20 > - - -=20 > sshd:=20 > =A0Invalid Users:=20 > =A0 =A0 Unknown Account: 2614 Time(s)=20 > =A0Authentication Failures:=20 > =A0 =A0 mail (200-102-192-82.cslce7005.t.brasiltelecom.net.br ): 5 Time= (s)=20 > =A0 =A0 unknown (220.229.161.171 ): 2211 Time(s)=20 > =A0 =A0 root (200-102-192-82.cslce7005.t.brasiltelecom.net.br ): 85 Tim= e(s)=20 > =A0 =A0 sshd (200-102-192-82.cslce7005.t.brasiltelecom.net.br ): 5 Time= (s)=20 > =A0 =A0 nobody (200-102-192-82.cslce7005.t.brasiltelecom.net.br ): 5=20 > Time(s)=20 > =A0 =A0 nobody (220.229.161.171 ): 3 Time(s)=20 > =A0 =A0 sshd (220.229.161.171 ): 9 Time(s)=20 >=20 > [etc.]=20 > - - - -=20 >=20 > And this ....=20 >=20 > - - - -=20 > --------------------- SSHD Begin ------------------------=20 >=20 > Failed logins from these:=20 > =A0Aaliyah/password from 200.102.192.82: 5 Time(s)=20 > =A0Aaron/password from 200.102.192.82: 5 Time(s)=20 > =A0Aba/password from 200.102.192.82: 5 Time(s)=20 > =A0Abel/password from 200.102.192.82: 5 Time(s)=20 > =A0Chicago/password from 220.229.161.171: 6 Time(s)=20 > =A0Christ/password from 220.229.161.171: 3 Time(s)=20 > =A0Dakota/password from 220.229.161.171: 6 Time(s)=20 > =A0Jewel/password from 200.102.192.82: 5 Time(s)=20 > =A0Jordan/password from 220.229.161.171: 6 Time(s)=20 >=20 > [etc.]=20 > - - -=20 >=20 > And this ...=20 >=20 > - - -=20 > **Unmatched Entries**=20 > Illegal user zena from 220.229.161.171=20 > Illegal user zena from 220.229.161.171=20 > Illegal user purple from 220.229.161.171=20 > Illegal user purple from 220.229.161.171=20 >=20 > [etc.]=20 > - - -=20 >=20 > Some of the lists are VERY long!=20 >=20 > Is there a reference guide somewhere that can help=20 > me interpret what the different categories and listed=20 > items mean and what action is advisable in each case?=20 >=20 > Thanks for any help on this.=20 >=20 > Best Wishes,=20 >=20 > PRODOS=20 >=20 > http://prodos.thinkertothinker.com=20 >=20 > -------------------------------------------------------=20 > SF.Net email is sponsored by:=20 > Tame your development challenges with Apache's Geronimo App Server. Dow= nload=20 > it for free - -and be entered to win a 42" plasma tv or your very own=20 > Sony(tm)PSP. =A0Click here to play: http://sourceforge.net/geronimo.php= =20 > -=20 > Forwarded by the Webmin mailing list at web...@li...= .net=20 > To remove yourself from this list, go to=20 > http://lists.sourceforge.net/lists/listinfo/webadmin-list=20 ------- End of Original Message ------- |
