Hi fellow friends, I think I have a problem or a potential problem with my server I think. My logwatch looks like this: I am concerned about durak.ru.mydomain.com Connection failure (outbound). I do not have such a domain name. My server should not have tried to make this outbound connection. Has my server been hacked? How can I trace where this came from on my server? and the Connections lost After AUTH near the end of the log (220-132-164-157.HINET-IP.hinet.net) is this something to worry about? I have also just installed fail2ban to combat the dovecot and the ssh hack attacks, I am assuming this is a dictionary attack and they have not gained access yet. I am running Fedora core 9, perfect server. One other question I have is how often should I run yum update? Kind Regards Stephen --------------------- pam_unix Begin ------------------------ dovecot: Authentication Failures: rhost=::ffff:200.36.53.7 : 129 Time(s) root: 15 Time(s) adm: 1 Time(s) apache: 1 Time(s) bin: 1 Time(s) daemon: 1 Time(s) ftp: 1 Time(s) games: 1 Time(s) gopher: 1 Time(s) halt: 1 Time(s) lp: 1 Time(s) mail: 1 Time(s) mailnull: 1 Time(s) mysql: 1 Time(s) named: 1 Time(s) news: 1 Time(s) nfsnobody: 1 Time(s) nobody: 1 Time(s) operator: 1 Time(s) postfix: 1 Time(s) postgres: 1 Time(s) rpc: 1 Time(s) rpcuser: 1 Time(s) shutdown: 1 Time(s) smmsp: 1 Time(s) sshd: 1 Time(s) sync: 1 Time(s) uucp: 1 Time(s) Unknown Entries: check pass; user unknown: 129 Time(s) smtp: Unknown Entries: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= : 1 Time(s) check pass; user unknown: 1 Time(s) sshd: Authentication Failures: mysql (210.87.191.133): 42 Time(s) root (123.233.245.226): 13 Time(s) unknown (123.233.245.226): 2 Time(s) root (202.108.29.8): 1 Time(s) Invalid Users: Unknown Account: 2 Time(s) Sessions Opened: smac: 6 Time(s) su-l: Sessions Opened: smac(uid=500) -> root: 5 Time(s) ---------------------- pam_unix End ------------------------- --------------------- SSHD Begin ------------------------ Didn't receive an ident from these IPs: 210.87.191.133: 3 Time(s) Failed logins from: 123.233.245.226: 13 times root/password: 13 times 202.108.29.8: 1 time root/password: 1 time 210.87.191.133: 42 times mysql/password: 42 times Illegal users from: 123.233.245.226: 2 times oracle/password: 1 time test/password: 1 time Users logging in through sshd: smac: 77.49.x.x (isp.net.gr): 2 times 77.49.x.x (isp.net.gr): 2 times 192.168.1.24: 2 times Received disconnect: 11: Bye Bye 123.233.245.226 : 15 Time(s) 202.108.29.8 : 1 Time(s) 210.87.191.133 : 36 Time(s) **Unmatched Entries** Timeout, client not responding. : 4 time(s) ---------------------- SSHD End ------------------------- --------------------- Postfix Begin ------------------------ ****** Summary ************************************************************************************* 1 SASL authentication failed 55.742K Bytes accepted 57,080 43.464K Bytes delivered 44,507 ======== ================================================ 17 Accepted 94.44% 1 Rejected 5.56% -------- ------------------------------------------------ 18 Total 100.00% ======== ================================================ 1 Reject relay denied 100.00% -------- ------------------------------------------------ 1 Total Rejects 100.00% ======== ================================================ 6 Connections made 4 Connections lost 6 Disconnections 3 Removed from queue 2 Sent via SMTP 1 Forwarded 14 Deferred 297 Deferrals 135 Connection failure (outbound) 2 TLS connections (server) 2 SASL authenticated messages 1 Postfix start 1 Postfix stop ****** Detailed ************************************************************************************ 1 SASL authentication failed -------------------------------------------------------------- 1 220.132.164.157 220-132-164-157.hinet-ip.hinet.net 1 Reject relay denied --------------------------------------------------------------------- 1 118.169.195.167 118-169-195-167.dynamic.hinet.net 1 [email protected] 4 Connections lost ------------------------------------------------------------------------ 1 After AUTH 1 220-132-164-157.HINET-IP.hinet.net 1 After CONNECT 1 correo.ccs.net.mx 1 After EHLO 1 220-132-164-157.HINET-IP.hinet.net 1 After RCPT 1 118-169-195-167.dynamic.hinet.net 2 Sent via SMTP --------------------------------------------------------------------------- 2 myemailprovider.gr 2 mac 1 [email protected] 1 Forwarded ------------------------------------------------------------------------------- 1 dragon.mydomain.com 1 root 297 Deferrals ------------------------------------------------------------------------------- 297 4.4.1: Persistent Transient Failure: Network & Routing Status: No answer from host 162 Delivery temporarily suspended: Connection timed out 162 localhost.localdomain.mydomain.com 162 admispconfig 162 62.49.x.x localhost.localdomain.mydomain.com 135 Connection timed out 113 localhost.localdomain.mydomain.com 113 admispconfig 113 62.49.x.x localhost.localdomain.mydomain.com 22 durak.ru.mydomain.com 22 lebedev 22 62.49.x.x durak.ru.mydomain.com 135 Connection failure (outbound) ----------------------------------------------------------- 135 Connection timed out 113 62.49.x.x localhost.localdomain.mydomain.com 22 62.49.x.x durak.ru.mydomain.com 2 TLS connections (server) ---------------------------------------------------------------- 2 127.0.0.1 localhost.localdomain 2 Anonymous: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) 2 SASL authenticated messages ------------------------------------------------------------- 2 Unknown 2 Unknown 2 127.0.0.1 localhost.localdomain ---------------------- Postfix End -------------------------
First, I'd check if your server is blacklisted: http://mxtoolbox.com/blacklists.aspx If it is, please check the mynetworks parameter in main.cf. The only network listed should be 127.0.0.0/8. Also check your web applications. Spammers might abuse vulnerable contact forms, guestbooks, etc.