First server - SSH Logs question

Hi,

I purchased the 360 back on September 20th. This is my first experience into the realm of server administration, though I have had limited linux experience in the past. I read through a few of the wiki's for server setup and by later in that day I had configured the server to reject remote root logins and disabled password authentication in favor of an SSH key generated by PUTTY.

[XXXXX@li73-113 .ssh]$ ls -l

-rw–----- 1 XXXXX XXXXX 226 Sep 20 16:18 authorized_keys

[XXXXX@li73-113 .ssh]$ find "/etc/ssh/sshd_config" -printf %t

Sun Sep 20 16:27:47 2009[XXXXX@li73-113 .ssh]$

Now just a few hours later I notice some crazy things going on in the logs. Here are the different types of entries I've noticed:

1

Sep 20 21:21:08 li73-113 sshd[2457]: Did not receive identification string from 196.2.77.185

Sep 20 21:22:23 li73-113 sshd[2458]: Invalid user aaliyah from 196.2.77.185

Sep 20 21:22:23 li73-113 sshd[2458]: Excess permission or bad ownership on file /var/log/btmp

Sep 20 21:22:23 li73-113 sshd[2459]: inputuserauthrequest: invalid user aaliyah

Sep 20 21:22:24 li73-113 sshd[2459]: Connection closed by 196.2.77.185

First of all, I think its crazy that after just a short amount of time my IP was discovered and set as a target for a dictionary attack.

2

Sep 21 10:57:25 li73-113 sshd[2492]: Did not receive identification string from 212.179.135.183

Sep 21 11:06:33 li73-113 sshd[2493]: reverse mapping checking getaddrinfo for bzq-179-135-183.static.bezeqint.net failed - POSSIBLE BREAK-IN ATTEMPT!

Sep 21 11:06:33 li73-113 sshd[2494]: Received disconnect from 212.179.135.183: 11: Bye Bye

3

Sep 24 20:30:57 li73-113 sshd[10617]: Received disconnect from 80.48.178.2: 11: Bye Bye

Sep 24 20:30:59 li73-113 sshd[10621]: Received disconnect from 80.48.178.2: 11: Bye Bye

Sep 24 20:31:00 li73-113 sshd[10625]: Received disconnect from 80.48.178.2: 11: Bye Bye

Sep 24 20:31:02 li73-113 sshd[10629]: Received disconnect from 80.48.178.2: 11: Bye Bye

Sep 24 20:31:03 li73-113 sshd[10633]: Received disconnect from 80.48.178.2: 11: Bye Bye

Sep 24 20:31:05 li73-113 sshd[10637]: Received disconnect from 80.48.178.2: 11: Bye Bye

Usually each of these 3 types of messages appear by themselves, but sometimes a single IP will generate all of them. Is there anything here to be worried about? Is there a better way to parse the log file to only look for true threats?

3 Replies

@segt:

First of all, I think its crazy that after just a short amount of time my IP was discovered and set as a target for a dictionary attack.

The Internet is a crazy place — that’s perfectly normal.

@segt:

Usually each of these 3 types of messages appear by themselves, but sometimes a single IP will generate all of them. Is there anything here to be worried about? Is there a better way to parse the log file to only look for true threats?

If you truly disabled root and password auth, there isn’t much of anything to worry about (unless something like the Debian OpenSSL screwup happens again).

You can do things to reduce the amount of stuff that gets logged — such as move SSH to a different port, or install fail2ban or DenyHosts — but you don’t really need to.

@mnordhoff:

Ok nice. That alleviates my anxiety heh. Any recommendations for books I can buy that would enlighten me on general security practices and audits?

My suggestion:

Use a firewall (I recommend Shorewall) to block ssh access from all but the addresses you regularly log in from. Set Lish to use a huge and complex password and then only connect using keys. If you need to ssh from a mobile or a different location, use Lish. Temporarily add the remote location to Shorewall if you are going to be doing a lot of work. Set you Linode manager account to use whitelisting (under 'My Profile').

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct