Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Xconsole.log?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Xconsole.log?

edited May 2012 in General

Okay, I havn't logged into putty or ssh for about 2weeks now.

My xconsole.log is over 30mb's big and has over 300,000 lines of error codes.

Most of them look like this:

May 27 17:32:18 speakwhatsreal sshd[32243]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=121.165.117.61 user=root

May 27 17:32:19 speakwhatsreal sshd[32243]: Failed password for root from 121.165.117.61 port 40681 ssh2

Or:

May 27 13:15:18 speakwhatsreal sshd[18246]: pam_unix(sshd:auth): check pass; user unknown

May 27 13:15:18 speakwhatsreal sshd[18246]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=121.165.117.61
May 27 13:15:18 speakwhatsreal sshd[18247]: Invalid user stijn from 121.165.117.61

OR

May 22 10:52:47 speakwhatsreal sshd[5604]: pam_unix(sshd:auth): check pass; user unknown

May 22 10:52:47 speakwhatsreal sshd[5604]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rrcs-71-43-140-174.se.biz.rr.com
May 22 10:52:50 speakwhatsreal sshd[5604]: Failed password for invalid user dixon from 71.43.140.174 port 55541 ssh2
May 22 10:52:50 speakwhatsreal sshd[5606]: Invalid user yclee from 71.43.140.174
May 22 10:52:51 speakwhatsreal sshd[5606]: pam_unix(sshd:auth): check pass; user unknown
May 22 10:52:51 speakwhatsreal sshd[5606]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rrcs-71-43-140-174.se.biz.rr.com
May 22 10:52:53 speakwhatsreal sshd[5606]: Failed password for invalid user yclee from 71.43.140.174 port 55690 ssh2
May 22 10:52:54 speakwhatsreal sshd[5608]: Invalid user steve from 71.43.140.174
May 22 10:52:54 speakwhatsreal sshd[5608]: pam_unix(sshd:auth): check pass; user unknown
May 22 10:52:54 speakwhatsreal sshd[5608]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rrcs-71-43-140-174.se.biz.rr.com
May 22 10:52:55 speakwhatsreal sshd[5608]: Failed password for invalid user steve from 71.43.140.174 port 55774 ssh2
May 22 10:52:56 speakwhatsreal sshd[5610]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rrcs-71-43-140-174.se.biz.rr.com user=root
May 22 10:52:58 speakwhatsreal sshd[5610]: Failed password for root from 71.43.140.174 port 55887 ssh2
May 22 10:52:59 speakwhatsreal sshd[5612]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rrcs-71-43-140-174.se.biz.rr.com user=root
May 22 10:53:01 speakwhatsreal sshd[5612]: Failed password for root from 71.43.140.174 port 56017 ssh2
May 22 10:53:02 speakwhatsreal sshd[5614]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rrcs-71-43-140-174.se.biz.rr.com user=root
May 22 10:53:05 speakwhatsreal sshd[5614]: Failed password for root from 71.43.140.174 port 56142 ssh2
May 22 10:53:06 speakwhatsreal sshd[5616]: Invalid user yclee from 71.43.140.174
May 22 10:53:06 speakwhatsreal sshd[5616]: pam_unix(sshd:auth): check pass; user unknown
May 22 10:53:06 speakwhatsreal sshd[5616]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rrcs-71-43-140-174.se.biz.rr.com
May 22 10:53:08 speakwhatsreal sshd[5616]: Failed password for invalid user yclee from 71.43.140.174 port 56279 ssh2
May 22 10:53:09 speakwhatsreal sshd[5618]: Invalid user dixon from 71.43.140.174
May 22 10:53:09 speakwhatsreal sshd[5618]: pam_unix(sshd:auth): check pass; user unknown
May 22 10:53:09 speakwhatsreal sshd[5618]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rrcs-71-43-140-174.se.biz.rr.com
May 22 10:53:11 speakwhatsreal sshd[5618]: Failed password for invalid user dixon from 71.43.140.174 port 56400 ssh2
May 22 10:53:12 speakwhatsreal sshd[5620]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rrcs-71-43-140-174.se.biz.rr.com user=root
May 22 10:53:13 speakwhatsreal sshd[5620]: Failed password for root from 71.43.140.174 port 56530 ssh2
May 22 10:53:14 speakwhatsreal sshd[5622]: Invalid user dixon from 71.43.140.174
May 22 10:53:14 speakwhatsreal sshd[5622]: pam_unix(sshd:auth): check pass; user unknown
May 22 10:53:14 speakwhatsreal sshd[5622]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rrcs-71-43-140-174.se.biz.rr.com
May 22 10:53:17 speakwhatsreal sshd[5622]: Failed password for invalid user dixon from 71.43.140.174 port 56630 ssh2
May 22 10:53:18 speakwhatsreal sshd[5624]: Invalid user kent from 71.43.140.174

I am obviously a linux noob, but I know this isn't right. Is this proof of someone trying to brute force there way in? Or is this global logging of everyone on the server? Anyone with some hindsight on this issue, please tell me. I am anxious, Thank you.

I Also noticed some IP's are from: http://219.239.227.125/ Which looks like either a Fake DC Site, or a real one. Not sure.

Comments

  • Looks like a brute force on your root account via SSH. I would either setup iptables to block the ip addresses your seeing in your log, or move your ssh to a different port than the default, which is port 22. If you move it to a different port most brute force scanners will skip you because they look for ssh on port 22.

    You can use This as a reference for some general iptables rules.

    Hopes this helps.

    Cheers!

    Thanked by 1SpeakWhatsReal
  • TheLinuxBug, thank for that. Problem is there is over thousands of IP's. Is there way to edit my vps so It will only accept through the IP I specify?

  • If you check that file I posted, I think a few lines down it includes the iptables configuration for only allowing certain ips access. Though I would think changing your default ssh port would lead to a slightly quicker fix, I would also suggest still setting up some type of ip limitations. The great thing about a VPS is even if you mess up and put in the wrong iptables setup you can login through the serial console and just iptables -F and clear all your tables.

    Good Luck!

    Thanked by 1SpeakWhatsReal
  • joepie91joepie91 Member, Patron Provider

    Have a look at fail2ban.

    Thanked by 1SpeakWhatsReal
  • edited May 2012

    @TheLinuxBug

    I have ran these 2 commands from #9

    9. Allow outgoing SSH only to a specific network

    iptables -A OUTPUT -o eth0 -p tcp -d MYIPHERE --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

    iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

    I replaced "MYIPHERE" with my IP. IP Spoofing is still possible through this method? Or is it fine. And just to make sure is #9 the correct way, I ran these commands and got no confirmation message, is that normal?

    I also did incoming:

    >

    5. Allow incoming SSH only from a sepcific network

    iptables -A INPUT -i eth0 -p tcp -s MYIPHERE --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

    iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

    I changed my port as well, should help? ;)

  • TheLinuxBugTheLinuxBug Member
    edited May 2012

    You will not get confirmation from iptables.
    To see what rules you have set you can type: iptables -L

    Should give you an output similar to the following, but with your rules listed:

    Chain INPUT (policy ACCEPT)
    target prot opt source destination

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Moving from the default port will always keep automated scripts from at least finding you quickly. That's not to say someone can not manually scan your server and find where ssh is located, but as that implies the need for manual intervention... most people will just skip over you.

    As @joepie91 said fail2ban is another option to look into, but for a beginner it is never a bad idea to learn a little about iptables as it will always come in handy to know. Fail2ban does a little more automated blocking, when it sees a single host retrying many times it just automatically firewalls it for you. Maybe that is your next step :)

    Thanked by 1SpeakWhatsReal
  • joepie91joepie91 Member, Patron Provider

    @SpeakWhatsReal said: I replaced "MYIPHERE" with my IP. IP Spoofing is still possible through this method? Or is it fine. And just to make sure is #9 the correct way, I ran these commands and got no confirmation message, is that normal?

    UNIX-oriented tools typically follow the 'only output a notification when something goes wrong' philosophy.

    Thanked by 1SpeakWhatsReal
  • Okay, changed port. Updated password for 32 + Characters long, blocked all incoming and outgoing SSH authorization to only accept my IP from my house, I believe people can still IP Spoof if they want?

    What I did is the norm right? Any other goodies to know about to stop these dirties? Thanks @TheLinuxBug

  • joepie91joepie91 Member, Patron Provider

    @SpeakWhatsReal said: I believe people can still IP Spoof if they want?

    No, you can't spoof an IP on a normal TCP connection where you wish to fully complete the handshake (which is what you do for a SSH connection), for the simple reason that if someone spoofs an IP, he will never get the handshake response from the server, and the server will send back that response to a (spoofed) IP instead, which doesn't know anything about the connection and just discards it.

    Thanked by 1SpeakWhatsReal
  • TheLinuxBugTheLinuxBug Member
    edited May 2012

    People would really have to want to mess with you to try and spoof, especially if they need to find out your ip first to spoof it, so I wouldn't be worried about that. RE: what @joepie91 said.

    Yes that all looks up to par to me. Should stop the attacks your seeing now at least.

    Cheers!

    Thanked by 1SpeakWhatsReal
  • edited May 2012

    Thank you guys for the help, pretty amazing how I came in here asking for some help and received it both from PM's and through a thread. I know I sound pretty noob but to be honest I know nothing about linux, but I am learning more and more through each new "event" that happens. Wether I am installing some stuff with commands or finding huge file sizes in my log folder. (No Pun) It really is that simple, I want to thank all of you for your help. Thanked every post on this thread ~

    I will keep you guys updated in a couple hours, tomorrow and see what the logs look like now :P (To show proof If I did my work right, LOL)

  • Okay, I accidentally deleted my xconsole.log file because it was so big. anyway to enable it again? I refresh my log directory and it doesn't show anymore, oops :(

Sign In or Register to comment.