Questions concerning Security Log

Dotan Cohen dotancohen at gmail.com
Thu Apr 7 08:34:14 UTC 2005 

On Apr 7, 2005 10:49 AM, Paul Howarth <paul at city-fan.org> wrote:
> On Thu, 2005-04-07 at 09:14 +0300, Dotan Cohen wrote:
> > As I'm still new to linux I like to open things and see what they are
> > / do. So I opened the KDE System Logs program, clicked on over to
> > Security logs, and found a bunch of these:
> >
> > Apr  4 02:15:03 localhost sshd[26567]: Failed password for invalid
> > user test from ::ffff:219.238.239.10 port 3429 ssh2
> 
> This is a script kiddie trying to crack passwords on your ssh server.
> 
> > and these:
> >
> > Apr  5 04:47:24 localhost sshd[7287]: reverse mapping checking
> > getaddrinfo for h169-210-68-8.adcast.com.tw failed - POSSIBLE BREAKIN
> > ATTEMPT!
> 
> This is because reverse DNS for 210.68.8.169 (source of one of the
> script kiddie attacks) points to the hostname
> h169-210-68-8.adcast.com.tw but that name does not resolve. Not terribly
> uncommon with incompetent ISPs.
> 
> > and many more like it. Is this something to worry about?
> 
> Yes it is, but it's nothing personal. Everyone running a ssh server that
> isn't firewalled off except for specific IPs is probably getting them. I
> know I am.
> 
> Suggestions:
> 
> 1. Disable root logins in ssh (you can still log in as a regular user
> and use "su") by putting "PermitRootLogin no" in /etc/ssh/sshd_config.
> 
> 2. Make sure you use strong passwords for *all* accounts.
> 
> 3. Consider turning off password authentication altogether and using
> certificates instead.
> 
> > Chkrootkit
> > didn't find anything suspicious, so that makes me feel a little
> > better, but as I am unable to start firestarter I am a little nervous.
> >
> > By the way, what is the difference between chkrootkit and chkrootkitX?
> > They both run in the terminal (I thought that chkrootkitX would open
> > up in a gui or something).
> 
> Don't know; I've never used chkrootkit.
> 
> > Is it unsafe to put a copy of the log on my site and post a link to it
> > here? it spans about 1500 lines, so I do not want to email it to the
> > list.
> 
> Probably fairly safe but not very useful.
> 
> Paul.
> --
> Paul Howarth <paul at city-fan.org>
> 
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
> 



Thanks. I tryed to edit /etc/ssh/sshd_config and found that it is
either empty or does not exist. In emacs i just get a blank screen. So
maybe I don't even have ssh on this computer? I did a FC3 desktop
installation.

> 2. Make sure you use strong passwords for *all* accounts.

Check!

> 3. Consider turning off password authentication altogether and using
> certificates instead.

I will look into this. As far as I can see, I would need to purchase a
certificate? I have never logged into this machine from outside, but I
would like to leave that option open.

Thanks Paul.

Dotan Cohen

http://Liriks-Song.com/
http://Song-Lyriks.com/

More information about the users mailing list