hack attempt on my server...What do you do about this?
fedora at ducksoup.afree.net
Sat Jul 17 21:40:06 UTC 2004
This must be automated and/or a script kiddee. I have basically the same attack
from another machine: in /var/log/secure I have
Jul 15 13:03:49 mallard sshd: Illegal user test from 22.214.171.124
Jul 15 13:03:51 mallard sshd: Failed password for illegal user test from
126.96.36.199 port 50491 ssh2
Jul 15 13:03:53 mallard sshd: Illegal user guest from 188.8.131.52
Jul 15 13:03:55 mallard sshd: Failed password for illegal user guest from
184.108.40.206 port 50703 ssh2
Jul 15 13:03:56 mallard sshd: Illegal user admin from 220.127.116.11
Jul 15 13:03:58 mallard sshd: Failed password for illegal user admin from
18.104.22.168 port 50900 ssh2
Jul 15 13:03:59 mallard sshd: Illegal user user from 22.214.171.124
Jul 15 13:04:02 mallard sshd: Failed password for illegal user user from
126.96.36.199 port 51090 ssh2
Jul 15 13:04:05 mallard sshd: Failed password for root from 188.8.131.52 po
rt 51267 ssh2
Jul 15 13:04:09 mallard sshd: Failed password for root from 184.108.40.206 po
rt 51411 ssh2
I agree with Amadeus that this does not seem like a very sophisticated attack.
I think it is common to see this sort of stuff that shouldn't be there in logs
(including some times when there is a break-in). Machines are more secure than
they used to be (I have had a half-dozen break-ins over the years but no
apparent data loss in SUNs), but it still happens and it is prudent to back up
important user files frequently.
For security, the LinuxBenchmark.pdf document from www.cisecurity.org is a
useful start (although their suggested rpm -F is not a good way to get updates).
It is for an earlier RH version, but it is still useful for basic suggestions
about how to turn off unneeded services, close unused ports, check file
permissions, and the like.
More information about the users