I recommend installing and configuring rkhunter. Its just an apt-get/yum away. Reasonably easy to configure. Basically you got hit by a bot trying to get access. There are a few things you can do.
Change the port sshd run on from 22 to something only those that access the server know. Add some rules to your IP tables to drop multiple attempts to get in. Here is an example: :ALLOWED - [0:0] # (IP you want to white list) -A INPUT -s #.#.#.# -p tcp -m tcp --dport 22 -j ACCEPT # all other ssh traffic must go through a rate limiting filter -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ALLOWED # rate limit filter that only permits 3 new connections per minute -A ALLOWED -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT -A ALLOWED -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 3/min --limit-burst 3 -j ACCEPT -A ALLOWED -p tcp -j LOG --log-prefix " DROP RATE_LIMIT " --log-tcp-options --log-ip-options -A ALLOWED -p tcp -j REJECT --reject-with icmp-port-unreachable and here is another way to do it: iptables -t filter -I INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set iptables -t filter -I INPUT -i eth1 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP You can get pretty advanced with this stuff, it can go on and on depending on the effort you want to put into it. Some people record all of the failed ips and add then to a permanent blocked list. Oh, and /etc/hosts.allow and hosts.deny. Set those up, not full proof but every bit helps. On Feb 12, 2008 6:49 PM, Ralph Shumaker <[EMAIL PROTECTED]> wrote: > I just now noticed that root has mail. And it goes back several months, > even back to before I switched to DSL when I was still on dialup. > > Apparently, even way back then, there were attempts to log into my > system. There are a multitude of attempts via SSHD (sshd has recently > been shut off when I saw network activity when there should have been none): > sshd: > Authentication Failures: > unknown (webservices.trest.com): 324 Time(s) > root (webservices.trest.com): 34 Time(s) > apache (webservices.trest.com): 10 Time(s) > adm (webservices.trest.com): 9 Time(s) > ftp (webservices.trest.com): 9 Time(s) > mail (webservices.trest.com): 7 Time(s) > Invalid Users: > Unknown Account: 324 Time(s) > > and a couple of days later: > sshd: > Authentication Failures: > unknown (218.244.130.46): 92 Time(s) > root (218.244.130.46): 15 Time(s) > root (89-149-202-225.internetserviceteam.com): 6 Time(s) > adm (218.244.130.46): 1 Time(s) > apache (218.244.130.46): 1 Time(s) > bin (218.244.130.46): 1 Time(s) > daemon (218.244.130.46): 1 Time(s) > ftp (218.244.130.46): 1 Time(s) > games (218.244.130.46): 1 Time(s) > lp (218.244.130.46): 1 Time(s) > mail (218.244.130.46): 1 Time(s) > news (218.244.130.46): 1 Time(s) > nobody (218.244.130.46): 1 Time(s) > operator (218.244.130.46): 1 Time(s) > rpm (218.244.130.46): 1 Time(s) > sshd (218.244.130.46): 1 Time(s) > Invalid Users: > Unknown Account: 92 Time(s) > > I'm guessing that someone at 218.244.130.46 was trying to log in as root > (15 times), adm, apache, bin, daemon, ftp, games, lp, mail, news, > nobody, operator, rpm, sshd, and 92 unknown users? > > I'm wanting to delete old mail. But I want to at least understand it > before I delete it. > > I doubt that I've been owned, but how would I check? With all the yum > updates I've done, I doubt my system files will match up with the > installation CDs. > > > > -- > Ralph > > -------------------- > Fairy tales do not tell children that dragons exist. Children already > know that dragons exist. Fairy tales tell children that dragons can be > killed. > --G. K. Chesterton > > -- > [email protected] > http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-newbie > -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-newbie
