First server - SSH Logs question
I purchased the 360 back on September 20th. This is my first experience into the realm of server administration, though I have had limited linux experience in the past. I read through a few of the wiki's for server setup and by later in that day I had configured the server to reject remote root logins and disabled password authentication in favor of an SSH key generated by PUTTY.
[XXXXX@li73-113 .ssh]$ ls -l
-rw–----- 1 XXXXX XXXXX 226 Sep 20 16:18 authorized_keys
[XXXXX@li73-113 .ssh]$ find "/etc/ssh/sshd_config" -printf %t
Sun Sep 20 16:27:47 2009[XXXXX@li73-113 .ssh]$
Now just a few hours later I notice some crazy things going on in the logs. Here are the different types of entries I've noticed:
1
Sep 20 21:21:08 li73-113 sshd[2457]: Did not receive identification string from 196.2.77.185
Sep 20 21:22:23 li73-113 sshd[2458]: Invalid user aaliyah from 196.2.77.185
Sep 20 21:22:23 li73-113 sshd[2458]: Excess permission or bad ownership on file /var/log/btmp
Sep 20 21:22:23 li73-113 sshd[2459]: inputuserauthrequest: invalid user aaliyah
Sep 20 21:22:24 li73-113 sshd[2459]: Connection closed by 196.2.77.185
First of all, I think its crazy that after just a short amount of time my IP was discovered and set as a target for a dictionary attack.
2
Sep 21 10:57:25 li73-113 sshd[2492]: Did not receive identification string from 212.179.135.183
Sep 21 11:06:33 li73-113 sshd[2493]: reverse mapping checking getaddrinfo for bzq-179-135-183.static.bezeqint.net failed - POSSIBLE BREAK-IN ATTEMPT!
Sep 21 11:06:33 li73-113 sshd[2494]: Received disconnect from 212.179.135.183: 11: Bye Bye
3
Sep 24 20:30:57 li73-113 sshd[10617]: Received disconnect from 80.48.178.2: 11: Bye Bye
Sep 24 20:30:59 li73-113 sshd[10621]: Received disconnect from 80.48.178.2: 11: Bye Bye
Sep 24 20:31:00 li73-113 sshd[10625]: Received disconnect from 80.48.178.2: 11: Bye Bye
Sep 24 20:31:02 li73-113 sshd[10629]: Received disconnect from 80.48.178.2: 11: Bye Bye
Sep 24 20:31:03 li73-113 sshd[10633]: Received disconnect from 80.48.178.2: 11: Bye Bye
Sep 24 20:31:05 li73-113 sshd[10637]: Received disconnect from 80.48.178.2: 11: Bye Bye
Usually each of these 3 types of messages appear by themselves, but sometimes a single IP will generate all of them. Is there anything here to be worried about? Is there a better way to parse the log file to only look for true threats?
3 Replies
@segt:
First of all, I think its crazy that after just a short amount of time my IP was discovered and set as a target for a dictionary attack.
The Internet is a crazy place — that’s perfectly normal.
@segt:
Usually each of these 3 types of messages appear by themselves, but sometimes a single IP will generate all of them. Is there anything here to be worried about? Is there a better way to parse the log file to only look for true threats?
If you truly disabled root and password auth, there isn’t much of anything to worry about (unless something like the Debian OpenSSL screwup happens again).
You can do things to reduce the amount of stuff that gets logged — such as move SSH to a different port, or install fail2ban or DenyHosts — but you don’t really need to.
Ok nice. That alleviates my anxiety heh. Any recommendations for books I can buy that would enlighten me on general security practices and audits?
Use a firewall (I recommend Shorewall