Menu
▾
▴
webadmin-list
|
From: <pr...@pr...> - 2005-09-18 23:23:12
|
From: Prodos (Melbourne, Australia)
Good morning.
I receive a daily email from my WEBMIN server
called "LogWatch for prodos"
It starts off like this ....
- - -
################### LogWatch 4.3.2 (02/18/03) ####################
Processing Initiated: Mon Sep 19 04:02:04 2005
Date Range Processed: yesterday
Detail Level of Output: 0
Logfiles for Host: prodos
################################################################
- - -
... and then lists all sorts of things, such as this ....
- - -
sshd:
Invalid Users:
Unknown Account: 2614 Time(s)
Authentication Failures:
mail (200-102-192-82.cslce7005.t.brasiltelecom.net.br ): 5 Time(s)
unknown (220.229.161.171 ): 2211 Time(s)
root (200-102-192-82.cslce7005.t.brasiltelecom.net.br ): 85 Time(s)
sshd (200-102-192-82.cslce7005.t.brasiltelecom.net.br ): 5 Time(s)
nobody (200-102-192-82.cslce7005.t.brasiltelecom.net.br ): 5
Time(s)
nobody (220.229.161.171 ): 3 Time(s)
sshd (220.229.161.171 ): 9 Time(s)
[etc.]
- - - -
And this ....
- - - -
--------------------- SSHD Begin ------------------------
Failed logins from these:
Aaliyah/password from 200.102.192.82: 5 Time(s)
Aaron/password from 200.102.192.82: 5 Time(s)
Aba/password from 200.102.192.82: 5 Time(s)
Abel/password from 200.102.192.82: 5 Time(s)
Chicago/password from 220.229.161.171: 6 Time(s)
Christ/password from 220.229.161.171: 3 Time(s)
Dakota/password from 220.229.161.171: 6 Time(s)
Jewel/password from 200.102.192.82: 5 Time(s)
Jordan/password from 220.229.161.171: 6 Time(s)
[etc.]
- - -
And this ...
- - -
**Unmatched Entries**
Illegal user zena from 220.229.161.171
Illegal user zena from 220.229.161.171
Illegal user purple from 220.229.161.171
Illegal user purple from 220.229.161.171
[etc.]
- - -
Some of the lists are VERY long!
Is there a reference guide somewhere that can help
me interpret what the different categories and listed
items mean and what action is advisable in each case?
Thanks for any help on this.
Best Wishes,
PRODOS
http://prodos.thinkertothinker.com
|
|
From: <dav...@da...> - 2005-09-18 23:31:56
|
Do you know who this IP address belongs to? Otherwise it may be some "hack"
program trying to get into your system using common names and "idiot"
passwords. If you look at the pattern they are all 'common' first names,
most being hit for 5 times.
If the IP address isn't one you work with, I'd consider blocking the IP all
together.
David Coley
Codecipher
-----Original Message-----
From: web...@li...
[mailto:web...@li...] On Behalf Of
pr...@pr...
Sent: Sunday, September 18, 2005 7:23 PM
To: web...@li...
Subject: [webmin-l] Understanding daily "LogWatch"?
From: Prodos (Melbourne, Australia)
Good morning.
I receive a daily email from my WEBMIN server
called "LogWatch for prodos"
It starts off like this ....
- - -
################### LogWatch 4.3.2 (02/18/03) ####################
Processing Initiated: Mon Sep 19 04:02:04 2005
Date Range Processed: yesterday
Detail Level of Output: 0
Logfiles for Host: prodos
################################################################
- - -
... and then lists all sorts of things, such as this ....
- - -
sshd:
Invalid Users:
Unknown Account: 2614 Time(s)
Authentication Failures:
mail (200-102-192-82.cslce7005.t.brasiltelecom.net.br ): 5 Time(s)
unknown (220.229.161.171 ): 2211 Time(s)
root (200-102-192-82.cslce7005.t.brasiltelecom.net.br ): 85 Time(s)
sshd (200-102-192-82.cslce7005.t.brasiltelecom.net.br ): 5 Time(s)
nobody (200-102-192-82.cslce7005.t.brasiltelecom.net.br ): 5
Time(s)
nobody (220.229.161.171 ): 3 Time(s)
sshd (220.229.161.171 ): 9 Time(s)
[etc.]
- - - -
And this ....
- - - -
--------------------- SSHD Begin ------------------------
Failed logins from these:
Aaliyah/password from 200.102.192.82: 5 Time(s)
Aaron/password from 200.102.192.82: 5 Time(s)
Aba/password from 200.102.192.82: 5 Time(s)
Abel/password from 200.102.192.82: 5 Time(s)
Chicago/password from 220.229.161.171: 6 Time(s)
Christ/password from 220.229.161.171: 3 Time(s)
Dakota/password from 220.229.161.171: 6 Time(s)
Jewel/password from 200.102.192.82: 5 Time(s)
Jordan/password from 220.229.161.171: 6 Time(s)
[etc.]
- - -
And this ...
- - -
**Unmatched Entries**
Illegal user zena from 220.229.161.171
Illegal user zena from 220.229.161.171
Illegal user purple from 220.229.161.171
Illegal user purple from 220.229.161.171
[etc.]
- - -
Some of the lists are VERY long!
Is there a reference guide somewhere that can help
me interpret what the different categories and listed
items mean and what action is advisable in each case?
Thanks for any help on this.
Best Wishes,
PRODOS
http://prodos.thinkertothinker.com
-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
-
Forwarded by the Webmin mailing list at web...@li...
To remove yourself from this list, go to
http://lists.sourceforge.net/lists/listinfo/webadmin-list
--
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.11.1/104 - Release Date: 9/16/2005
|
|
From: Vernon J. S. <ve...@ve...> - 2005-09-19 00:12:07
|
I have a custom perl script that might help block ssh brute force attacks. Also webmin has a feature that prevent brute force attacks. ------------------------------------------ Vernon J. Spangler http://www.vernonspangler.org/ (520) 512-8410 Home (520) 990-1863 Cell ve...@ve... ------------------------------------------ Powered by Windows XP Professional Sent by Microsoft Outlook 2003 -----Original Message----- From: dav...@da... [mailto:dav...@da...] Sent: Sunday, September 18, 2005 4:33 PM To: web...@li... Subject: RE: [webmin-l] Understanding daily "LogWatch"? Do you know who this IP address belongs to? Otherwise it may be some "hack" program trying to get into your system using common names and "idiot" passwords. If you look at the pattern they are all 'common' first names, most being hit for 5 times. If the IP address isn't one you work with, I'd consider blocking the IP all together. David Coley Codecipher -----Original Message----- From: web...@li... [mailto:web...@li...] On Behalf Of pr...@pr... Sent: Sunday, September 18, 2005 7:23 PM To: web...@li... Subject: [webmin-l] Understanding daily "LogWatch"? From: Prodos (Melbourne, Australia) Good morning. I receive a daily email from my WEBMIN server called "LogWatch for prodos" It starts off like this .... - - - ################### LogWatch 4.3.2 (02/18/03) #################### Processing Initiated: Mon Sep 19 04:02:04 2005 Date Range Processed: yesterday Detail Level of Output: 0 Logfiles for Host: prodos ################################################################ - - - ... and then lists all sorts of things, such as this .... - - - sshd: Invalid Users: Unknown Account: 2614 Time(s) Authentication Failures: mail (200-102-192-82.cslce7005.t.brasiltelecom.net.br ): 5 Time(s) unknown (220.229.161.171 ): 2211 Time(s) root (200-102-192-82.cslce7005.t.brasiltelecom.net.br ): 85 Time(s) sshd (200-102-192-82.cslce7005.t.brasiltelecom.net.br ): 5 Time(s) nobody (200-102-192-82.cslce7005.t.brasiltelecom.net.br ): 5 Time(s) nobody (220.229.161.171 ): 3 Time(s) sshd (220.229.161.171 ): 9 Time(s) [etc.] - - - - And this .... - - - - --------------------- SSHD Begin ------------------------ Failed logins from these: Aaliyah/password from 200.102.192.82: 5 Time(s) Aaron/password from 200.102.192.82: 5 Time(s) Aba/password from 200.102.192.82: 5 Time(s) Abel/password from 200.102.192.82: 5 Time(s) Chicago/password from 220.229.161.171: 6 Time(s) Christ/password from 220.229.161.171: 3 Time(s) Dakota/password from 220.229.161.171: 6 Time(s) Jewel/password from 200.102.192.82: 5 Time(s) Jordan/password from 220.229.161.171: 6 Time(s) [etc.] - - - And this ... - - - **Unmatched Entries** Illegal user zena from 220.229.161.171 Illegal user zena from 220.229.161.171 Illegal user purple from 220.229.161.171 Illegal user purple from 220.229.161.171 [etc.] - - - Some of the lists are VERY long! Is there a reference guide somewhere that can help me interpret what the different categories and listed items mean and what action is advisable in each case? Thanks for any help on this. Best Wishes, PRODOS http://prodos.thinkertothinker.com ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php - Forwarded by the Webmin mailing list at web...@li... To remove yourself from this list, go to http://lists.sourceforge.net/lists/listinfo/webadmin-list -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.11.1/104 - Release Date: 9/16/2005 ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php - Forwarded by the Webmin mailing list at web...@li... To remove yourself from this list, go to http://lists.sourceforge.net/lists/listinfo/webadmin-list |
|
From: Vern <ve...@cw...> - 2005-09-19 00:20:11
|
>=A0Also webmin has a feature that prevent brute force attacks. Where? |
|
From: Vernon J. S. <ve...@ve...> - 2005-09-19 01:31:47
|
Let me dig in my archives and see where I put it. ------------------------------------------ Vernon J. Spangler http://www.vernonspangler.org/ (520) 512-8410 Home (520) 990-1863 Cell ve...@ve... ------------------------------------------ Powered by Windows XP Professional Sent by Microsoft Outlook 2003 -----Original Message----- From: Vern [mailto:ve...@cw...]=20 Sent: Sunday, September 18, 2005 5:20 PM To: web...@li... Subject: RE: [webmin-l] Understanding daily "LogWatch"? >=A0Also webmin has a feature that prevent brute force attacks. Where? ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. = Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php - Forwarded by the Webmin mailing list at = web...@li... To remove yourself from this list, go to http://lists.sourceforge.net/lists/listinfo/webadmin-list |
|
From: Vern <ve...@cw...> - 2005-09-18 23:38:08
|
These are attempted hacks (logon failures) into your box. Many are create= d by=20 dictionary password crack programs that are used to attempt to figure out= user name=20 and passwords on your box. I used to get these and figured the best thing= to do is to=20 block the ssh port (tcp port 22) and only allow specific IP addresses, th= at I specify,=20 access to that port.=20 ---------- Original Message -----------=20 From: "pr...@pr..." <pr...@pr...>=20 To: web...@li...=20 Sent: Sun, 18 Sep 2005 16:22:56 -0700=20 Subject: [webmin-l] Understanding daily "LogWatch"? > From: Prodos (Melbourne, Australia)=20 >=20 > Good morning.=20 >=20 > I receive a daily email from my WEBMIN server=20 > called "LogWatch for prodos"=20 >=20 > It starts off like this ....=20 >=20 > - - -=20 > ################### LogWatch 4.3.2 (02/18/03) ####################=20 > =A0 =A0 =A0Processing Initiated: Mon Sep 19 04:02:04 2005=20 > =A0 =A0 =A0Date Range Processed: yesterday=20 > =A0 =A0Detail Level of Output: 0=20 > =A0 =A0 =A0 =A0 Logfiles for Host: prodos=20 > ################################################################=20 > - - -=20 >=20 > ... and then lists all sorts of things, such as this ....=20 >=20 > - - -=20 > sshd:=20 > =A0Invalid Users:=20 > =A0 =A0 Unknown Account: 2614 Time(s)=20 > =A0Authentication Failures:=20 > =A0 =A0 mail (200-102-192-82.cslce7005.t.brasiltelecom.net.br ): 5 Time= (s)=20 > =A0 =A0 unknown (220.229.161.171 ): 2211 Time(s)=20 > =A0 =A0 root (200-102-192-82.cslce7005.t.brasiltelecom.net.br ): 85 Tim= e(s)=20 > =A0 =A0 sshd (200-102-192-82.cslce7005.t.brasiltelecom.net.br ): 5 Time= (s)=20 > =A0 =A0 nobody (200-102-192-82.cslce7005.t.brasiltelecom.net.br ): 5=20 > Time(s)=20 > =A0 =A0 nobody (220.229.161.171 ): 3 Time(s)=20 > =A0 =A0 sshd (220.229.161.171 ): 9 Time(s)=20 >=20 > [etc.]=20 > - - - -=20 >=20 > And this ....=20 >=20 > - - - -=20 > --------------------- SSHD Begin ------------------------=20 >=20 > Failed logins from these:=20 > =A0Aaliyah/password from 200.102.192.82: 5 Time(s)=20 > =A0Aaron/password from 200.102.192.82: 5 Time(s)=20 > =A0Aba/password from 200.102.192.82: 5 Time(s)=20 > =A0Abel/password from 200.102.192.82: 5 Time(s)=20 > =A0Chicago/password from 220.229.161.171: 6 Time(s)=20 > =A0Christ/password from 220.229.161.171: 3 Time(s)=20 > =A0Dakota/password from 220.229.161.171: 6 Time(s)=20 > =A0Jewel/password from 200.102.192.82: 5 Time(s)=20 > =A0Jordan/password from 220.229.161.171: 6 Time(s)=20 >=20 > [etc.]=20 > - - -=20 >=20 > And this ...=20 >=20 > - - -=20 > **Unmatched Entries**=20 > Illegal user zena from 220.229.161.171=20 > Illegal user zena from 220.229.161.171=20 > Illegal user purple from 220.229.161.171=20 > Illegal user purple from 220.229.161.171=20 >=20 > [etc.]=20 > - - -=20 >=20 > Some of the lists are VERY long!=20 >=20 > Is there a reference guide somewhere that can help=20 > me interpret what the different categories and listed=20 > items mean and what action is advisable in each case?=20 >=20 > Thanks for any help on this.=20 >=20 > Best Wishes,=20 >=20 > PRODOS=20 >=20 > http://prodos.thinkertothinker.com=20 >=20 > -------------------------------------------------------=20 > SF.Net email is sponsored by:=20 > Tame your development challenges with Apache's Geronimo App Server. Dow= nload=20 > it for free - -and be entered to win a 42" plasma tv or your very own=20 > Sony(tm)PSP. =A0Click here to play: http://sourceforge.net/geronimo.php= =20 > -=20 > Forwarded by the Webmin mailing list at web...@li...= .net=20 > To remove yourself from this list, go to=20 > http://lists.sourceforge.net/lists/listinfo/webadmin-list=20 ------- End of Original Message ------- |
