Hey guys, My automatic logwatch email showed the following message : Code: --------------------- pam_unix Begin ------------------------ gdm: Authentication Failures: rhost= : 1 Time(s) Unknown Entries: check pass; user unknown: 1 Time(s) sshd: Authentication Failures: unknown (www.e-hainyo.jp): 110 Time(s) root (211.189.69.21): 31 Time(s) root (www.e-hainyo.jp): 15 Time(s) adm (www.e-hainyo.jp): 1 Time(s) apache (www.e-hainyo.jp): 1 Time(s) bin (www.e-hainyo.jp): 1 Time(s) daemon (www.e-hainyo.jp): 1 Time(s) ftp (www.e-hainyo.jp): 1 Time(s) games (www.e-hainyo.jp): 1 Time(s) halt (www.e-hainyo.jp): 1 Time(s) lp (www.e-hainyo.jp): 1 Time(s) mail (www.e-hainyo.jp): 1 Time(s) mysql (www.e-hainyo.jp): 1 Time(s) named (www.e-hainyo.jp): 1 Time(s) news (www.e-hainyo.jp): 1 Time(s) nobody (www.e-hainyo.jp): 1 Time(s) operator (www.e-hainyo.jp): 1 Time(s) postgres (www.e-hainyo.jp): 1 Time(s) rpm (www.e-hainyo.jp): 1 Time(s) shutdown (www.e-hainyo.jp): 1 Time(s) smmsp (www.e-hainyo.jp): 1 Time(s) sshd (www.e-hainyo.jp): 1 Time(s) sync (www.e-hainyo.jp): 1 Time(s) tomcat (www.e-hainyo.jp): 1 Time(s) uucp (www.e-hainyo.jp): 1 Time(s) Invalid Users: Unknown Account: 110 Time(s) su: Sessions Opened: (uid=0) -> root: 4 Time(s) ---------------------- pam_unix End ------------------------- --------------------- Connections (secure-log) Begin ------------------------ **Unmatched Entries** webmin: Successful login as root from 192.168.2.222 : 1 Time(s) webmin: Timeout of session for root : 1 Time(s) webmin: Webmin starting : 2 Time(s) ---------------------- Connections (secure-log) End ------------------------- --------------------- SSHD Begin ------------------------ SSHD Killed: 2 Time(s) SSHD Started: 2 Time(s) Failed logins from: 203.152.217.208: 37 times 211.189.69.21: 31 times Illegal users from: 203.152.217.208: 110 times Received disconnect: 11: Bye Bye : 176 Time(s) ---------------------- SSHD End ------------------------- Does this meant a hacking attempt? I performed a whois on the IPs above and found out this : Code: inetnum: 203.152.192.0 - 203.152.223.255 netname: INTERLINK descr: INTERLINK Co.,LTD descr: Sunshine60-35F 3-1-1 Higashi-ikebukuro descr: Toshima-city Tokyo 170-6035 Japan country: JP admin-c: JNIC1-AP tech-c: JNIC1-AP status: ALLOCATED PORTABLE remarks: Email address for spam or abuse complaints : mnt-by: MAINT-JPNIC mnt-lower: MAINT-JPNIC changed: 20050804 changed: 20070913 source: APNIC role: Japan Network Information Center address: Kokusai-Kougyou-Kanda Bldg 6F, 2-3-4 Uchi-Kanda address: Chiyoda-ku, Tokyo 101-0047, Japan country: JP phone: +81-3-5297-2311 fax-no: +81-3-5297-2312 e-mail: admin-c: JI13-AP tech-c: JE53-AP nic-hdl: JNIC1-AP mnt-by: MAINT-JPNIC changed: 20041222 changed: 20050324 changed: 20051027 source: APNIC inetnum: 203.152.217.192 - 203.152.217.223 netname: IOSYSTEM descr: IO SYSTEM Co., Ltd. country: JP admin-c: JP00006345 tech-c: JP00006354 remarks: This information has been partially mirrored by APNIC from remarks: JPNIC. To obtain more specific information, please use the remarks: JPNIC WHOIS Gateway at remarks: http://www.nic.ad.jp/en/db/whois/en-gateway.html or remarks: whois.nic.ad.jp for WHOIS client. (The WHOIS client remarks: defaults to Japanese output, use the /e switch for English remarks: output) changed: 20070510 source: JPNIC If this is really a hacking attempt, how can I protect myself. I have just enabled Selinux and need to reboot for the change to take effect. Thanks,
lol welcome to the world of SSH hacking i had a log like 1 MB of ssh hits on my test box but i changed the ssh port over to 222 or something else and it almost droped to nothing
Thank you all guys for the info. I am just wondering why this stupid Japanese chimp is trying to access my box! There is nothing of interest anyways, just a personal blog and some futilities. But of course, he needed my password to do that, huh? Well I have changed that to such a difficult one that with Brute Force it would take him 200 years to find out. I will try those tools and see what they are able to do. Also zcworld, how would I go about changing the port of SSH. What is this SSH anyways? Can I uninstall it? Finally, I use remote root login within my LAN, is that also unsafe? Thank you all again for your info
I would install fail2ban and denyhost, use strong passwords, maybe change the port also as zcworld suggested, disable remote root logins in your sshd_conf as Leszek suggested. Their will always be someone trying to get a sneak peek into your system so just make sure you have it secured.
sshd_config is at /etc/ssh/sshd_config also there is the rootlogin = yes change to no and you may need to add urself to the wheel group if you need to SU up at some later time
