Security :: Legititmate Internet Connections Logged In To Server As Break In Attempts?

Oct 22, 2010

On my server I some times login from my home where I have an internet connection which does not have a static IP each time I switch on my modem a dynamic IP isgenerated.I see in auth.log logs of following lines Quote:reverse mapping checking getaddrinfo forkkts-kk-dynamic-01.1.168.192.some_broadband.in [192.168.1.2] failed - POSSIBLE BREAK-IN ATTEMPT Accepted publickey for root from 192.168.1.2 port 22852 ssh2when ever I login to my server from home.In this case I do know that it was me who logged in but still why do I see such a log.What is this complaining about?

View 11 Replies


ADVERTISEMENT

OpenSUSE Network :: SSH "break In Attempts"?

Jan 16, 2010

However, I have a program called fail2ban installed, which is great because 3 failed attempts within an hour from any IP address and that IP gets banned for an hour. But, as you can see this person is using a different IP every time so fail2ban can't really stop see there is a reverse mapping check that catches this person occasionally.That's great and I assume that if the reverse mapping doesn't checkout, it would not allow the connection. Is this correct or would the reverse mapping allow them anyway?- I can't believe that this person has this many real IP addresses. So, why would the reverse mapping not pick up all these others, or are they really real?Last question: Is there anyway to pick up on this persons real IP and ban it? Perhaps have a fake login account that let's him think he is connecting... assuming a real IP would be needed for a connection.

2010-01-16T21:17:44.061821-08:00 neutrino sshd[28187]: Invalid user admin from 150.214.45.10
2010-01-16T21:17:57.489228-08:00 neutrino sshd[28193]: Invalid user admin from

[code]....

View 9 Replies View Related

Security :: Block User Accounts Who Has Not Logged In To The Server Last 2 Months?

Mar 1, 2011

We have 4 servers having rhel 5.2. We have several users logged in on one of them. We have nis server/client running on them and have common home area mounted on all of them. Now we want to disable/block the accounts of the users who have not accessed our servers in last 2 months from today.What logic should we apply to do so? We were checking stat of .bashrc of each user but is not correct logic. We are going to write shell script for the same. We dont want to do anything in users home area or their files.

View 11 Replies View Related

Security :: Getting The Connections To IRC Server?

Feb 4, 2010

For some time now I've been noticing the network activity light for my linux box blinking like mad on my router. After a little looking around for ways to see what connections my box has established, I found the following using lsof -i

Code:

bash 13839 root 1u IPv4 3118972 TCP shana:49148->Oslo.NO.EU.undernet.org:ircd (SYN_SENT)
bash 13839 root 2u IPv4 3118986 TCP shana:34323->161.53.178.240:distinct

[code]....

I know I'm not using IRC, and I have my sshd locked down fairly tight, requiring a key to log in, so obviously, it looks like there's something or somebody in Croatia (the origin of that IP address) connecting my system to undernet.org for some nefarious purpose. Looking at my processes, ID 13839 shows up as

Code:

13839 ? S 0:00 bash
Just 'bash', not '-bash' as

Code:

13426 pts/0 S 0:00 -bash

my session appears. Previously, this odd bash process was ID 2704, which seemed to imply that it had launched fairly soon after my system booted up which really makes me wonder. Oh, and yes, I did kill that 2704 process, and it returned as this 13839. 2704 also had those same IRC connections present in lsof.

View 12 Replies View Related

Fedora Networking :: Two Internet Connections On F10 Server?

Feb 25, 2009

I have a question, regarding the use of two internet connection on the same server. So, the thing is like this: The server will have 3 network adapters: connected to a DSL modem (on this adapter I have one of the internet connections, a PPPoE connection. It's only purpose is to share the internet connection to all LAN users using SNAT.

eth1 ----> the other internet connection, a much more expensive one actually, used for hosting a website, a domain name server, and a qmail server. eth2 ----> LAN connection So what I want is to make eth1 the "default gateway" (for outgoing mail, DNS requests, etc) and, as I said, use the ppp0 connection on eth0 only for internet sharing in LAN.

My question is (since I'l configure this server in about one week), does anybody have any suggestions regarding how could I accomplish this? I mean, I'm affraid that ppp0 will also try to use the default gateway from the other internet connection and vice-versa. Now, I know I can use the ip route/ip rule commands, but for many reasons I'd like to keep it simple and not use them.

View 4 Replies View Related

Networking :: Squid Server With Two Internet Connections?

Feb 3, 2010

I have to configure squid server which will have two internet connections on two separate lan cards and both will run simultaneously.I know how to configure squid server with one internet connection

View 4 Replies View Related

Security :: Policy That Limits Connections On Port - Encapsulates Total Sum Of All Connections From Hosts?

Jan 21, 2011

Is it fair to say that connLimit and hashlimit are very similiar on Linux i.e. while hashlimit caters to limits for groups of ports, they both set the connection rate limit per host? How in IPTables, do I configure a policy that limits connections on a port that encapsulates the total sum of all connections from all hosts? i.e. I do not want to allow more than 6000conn/minute for port range that is the sum of all connecting hosts?

View 3 Replies View Related

Fedora Installation :: Network Connections Is Inactive - Cannot Set Internet Connections

May 30, 2011

I recently installed Fedora 15 now, and during installation I set the internet connection manually, then did update and after reboot, the internet connection settings have been removed. Now I can not set because the network connection to the Internet Connection is inactive. I mention that before the update was functional internet connection.

View 5 Replies View Related

Networking :: Binding 2 Internet Connections On Same Fedora Server

Apr 11, 2009

Can I bind 2 interent connections or more on same fedora server to create bigger one with double bandwidth ,or it needs a specific router to be able to do this.

View 1 Replies View Related

Fedora Security :: Finding The Source Of A Break In ?

Jul 16, 2010

I noticed a very very high cpu usage on my webserver. All four CPUs were running on 100%.

Top shows several perl processes from apache that run for a long time, with a high %CPU.

Since the server was fc10, I did a fresh installation to fc13, and the fresh installation didn't have this issue. Then I loaded back all the user-data, and it started again.

Several, 4, 6, 8, ... 100 perl processes from apache.

lsof -p with the pid of such a process

Code:

The estabilished connection is sometimes "proud2pirate.com" wich is a non-existing domain.

View 14 Replies View Related

Server :: When Executed Last Command Its Showing System Ip Logged In Time And Logged Out Time The Output?

Feb 27, 2011

logging in a server through putty in the same network when i executed last command its showing system ip logged in time and logged out time the output as followsthis is my system
oot pts1 xx.xx.xx day month date time in time out timeand similarly am geeting other than this likeroot :0day month date time still logged in this is from more than 3 days its logged in

View 2 Replies View Related

Fedora Security :: Email On ALL Ssh Login Attempts?

Apr 28, 2009

I know this is probably easy and if I only took a while to figure it out maybe I could but I have some stuff that needs to happen soon and I can't figure this out. I was wondering how I could have a log monitor that would email me whenever someone tries to login over ssh to my system. I'm open to everything daemons/scripts or cron itl works as I am not running a production server (but I might be starting that soon). Oh and just a side how do I get sent an email when I get port scanned

View 6 Replies View Related

Fedora Security :: Ssh Malicious Login Attempts

Nov 15, 2009

I have a server box behind my ISP router at home, and I need to allow ssh access to my server. My ISP router doesn't let me allow selectively ssh from some IP. It allows ssh to everyone.

I have fedora10 and openssh-server-5.1p1-3. How can I configure openssh to allow just from 1 IP?

Does it use xinetd at all and the hosts.allow and .deny mechanism?

View 14 Replies View Related

Ubuntu Security :: Log User Login Attempts Only?

Jun 29, 2010

How can I set up snort to only log and detect/capture logins using root or any of the "homeusers" login accounts or names?

View 9 Replies View Related

Ubuntu Security :: Firewall Showing SSH Attempts Quite Often

Sep 30, 2010

I'm running the firestarter firewall and its been showing the odd ssh attempt quite often. e.g. I've had 4 attempts today, 3 in the last 40mins. I realize that this may be nothing to serious but it's got me curious, aside from having a secure password (which I have) is there anything that else that I can do to ensure that my system is as secure as possible from ssh? I do use ssh within my home network so I don't want to disable it completely.

View 9 Replies View Related

Ubuntu Security :: SSH Login Attempts Using WINBIND ?

Oct 23, 2010

I have an SSH server on my laptop, and I'm using the default configuration file, but I added "AllowUsers <myUserName>". I get lots of login attempts like the ones below in my /var/log/auth.log.From Google, I find that pam_winbind allows some kind of Windows authentication. This leaves me with 2 questions. What does winbind do when I have not configured any Windows/Samba accounts? How can I turn it off?

Code:
Oct 23 20:01:49 muon sshd[24329]: User root from 201.116.17.163 not allowed because not listed in AllowUsers

[code]...

View 9 Replies View Related

Security :: Block Port Scanning Attempts?

Nov 18, 2010

I run SSH on a publicly open server and see following attempts in /var/log/auth.log which I was told by some one could be port scanning attempts.(Not sure though)

Code:
Nov 18 23:50:19 server sshd[21716]: Did not receive identification string from 186.0.80.197
Nov 19 00:05:57 server sshd[24056]: Did not receive identification string from 85.108.110.66

How can I block above such attempts?

View 11 Replies View Related

Security :: Unlocking An Account After Too Many Failed Attempts?

May 20, 2010

How does one unlock an account when it is locked by too many failed attempts for login?

View 1 Replies View Related

Ubuntu Security :: Break In Through Disabled Root Account?

Nov 11, 2010

If root is disabled by default, how is it possible that someone managed to SSH into my computer using root? I never enable/set password for root, it's always left as the default as per a fresh install and I always use sudo for any admin tasks.Auth.logFirst there are a whole load of failed attempts then...

Code:
Nov 8 11:07:32 Morris-Desktop sshd[3601]: Failed password for root from 94.243.50.53 port 4360 ssh2

[code]...

View 9 Replies View Related

Ubuntu Security :: Block Multiple Ssh Login Attempts?

Mar 22, 2011

I am running a ubuntu server 10.10 with SSH, and OpenVPN. I use it mainly for the VPN, but I have seen log in attempts such as:

Mar 22 14:52:53 UbuntuSvr sshd[2397]: Invalid user support from 85.217.190.69
Mar 22 14:52:55 UbuntuSvr sshd[2399]: Invalid user student from 85.217.190.69
Mar 22 14:52:57 UbuntuSvr sshd[2401]: Invalid user transfer from 85.217.190.69
Mar 22 14:52:59 UbuntuSvr sshd[2403]: Invalid user user from 85.217.190.69

[Code]...

Is it possible to make it so when some one has tried logging in 5 times with an invalid user/pass that the ip is banned for 10 minutes? I have password auth set to no and am using keys.

View 7 Replies View Related

Security :: Account Lock After Failed Login Attempts

May 25, 2010

I'm trying to lock an account after a number of failed login attempts in a RHEL5.

This is the relevant configuration in /etc/pam.d/system-auth

In the logs I can see how the count of failed logins increase and exceeds my deny option but the account isn't locked

Do I need any other option in the PAM file? Is there any other way to lock an account?

View 5 Replies View Related

Security :: Use .htaccess To Redirect Chinese Hacking Attempts?

Aug 9, 2010

My server (CentOS 5.4) is being bombarded 24x7 with IP addresses from China trying to exploit phpMyAdmin. For every one I block on the firewall, half a dozen come to the funeral! It's a pity these morons don't have something better to occupy their time. I'm getting page after page of this (see below) every day and it's been going on for weeks. I don't even have phpMyAdmin on the server. I don't use it and I deleted it.

I've read that you can use .htaccess and / or mod_rewrite to redirect / block them based on any query for phpMyAdmin (they try all letters in upper and lower case, leading to page after page). Unfortunately, I have no idea of how to do this. I already have an .htaccess file. Maybe someone can suggest what to add to stop these pests from wasting my bandwidth and suggest somewhere I could redirect them to to cause them maximum problems. I don't want to block the entire country, seems a bit like overkill, not all Chinese are morons. we aren't even in the USA, so why they are doing this is beyond me.

A TINY sample!
[Sun Aug 08 13:29:08 2010] [error] [client 61.191.41.53] File does not exist: /var/www/corp/phpMyAdmin-2.7.2

[code]...

View 6 Replies View Related

Security :: Count The Failure Root Login Attempts?

Apr 1, 2011

I want to count the failure root login attempts so that do an action when the user faild to login as root for three consecutive times (like log a line in syslog).

View 4 Replies View Related

OpenSUSE Install :: 11.3 Security Update Will Break Adobe AIR / Tweetdeck

Apr 4, 2011

The libxml2 update specified by CVE-2010-4494 causes a notification that it will break Adobe AIR and TweetDeck on my machine.How can I blacklist this update so it won't keep showing up in the Updater applet?The applet says I should go into Yast and manually apply the update. When I do that and tell it not to apply the update, Yast exits and the Updater applet just tells me the update is still pending. I want to get rid of the update at least temporarily until Adobe fixes the dependency (assuming they ever do).

This is a major problem for me as I clearly don't intend to uninstall TweetDeck and AIR just for some security patch. Why didn't openSUSE test this patch for AIR compatibility?

View 6 Replies View Related

Ubuntu Security :: Limit Login Attempts For Specific User?

Jan 15, 2011

I'd like to limit login attempts for specific user. I've found information in manpages: [URL]but I'm not sure if this '@' is purposly there, so would be that correct?

Code:
aparaho - maxlogins 4
or
Code:
@aparaho - maxlogins 4

Maybe '@' is a group syntax? I'm confused.

What happens after 4 failed loggins? Is it enough to restart system to get another login attempts?

Are there any other values that it is reasonable to limit for safety reasons?

View 4 Replies View Related

Security :: OpenLDAP / NSS / PAM Produce Logs Of Failed Login Attempts?

Feb 16, 2011

I am trying to get OpenLDAP to authenticate user logins, but running around in circles. Are there any logs produced by either client and/or server that would indicate possible reasons why it was unable to login as a user?Below is an explanation, any ideas would be appreciated, as I think everything is setup as per the various articles on using LDAP.

I have a CentOS 5.5 OpenLDAP server, and several others, some host services, some are file shares (samba).So far I have been able to successfully configure OpenLDAP to carry out all the ldap* commands from both the local server and from any of the remote servers, either via non-ssl or ssl connections. However, as soon as I try connecting any services up to it, it doesn't play ball.Back to basics, having cleared off all previous attempts at this from all machines, I have gone through the following:

Installed OpenLDAP server/client on host (plus nss_ldap).
Configured /etc/openldap/slapd.conf (see below)
Configured /etc/openldap/ldap.conf (see below)

[code]...

View 2 Replies View Related

Security :: Mod_security With CRS Adjustments To Capture Php POST Sql Injection Attempts?

Jul 22, 2010

currently I'm fiddling around with mod_security for apache2 configurations on CentOS boxes, right now in a test environment first (i.e. separate non production box).CentOS includes the mod_security "Core Rule Set" by Breach Security Inc, the devs behind that module.So far all's running mostly, logs/auditlogs etc.For simple testing, I made a small php form as following:

Code:
<?php
$link = mysql_connect("localhost",$user,$pass); //un/pw obfuscated for forum post

[code]...

View 1 Replies View Related

Ubuntu Security :: Mount.ntfs Ran On Its Own - Normal Or External Hack/break-in Attempt?

Aug 2, 2010

Running Ubuntu 10.04 I noticed my hard disc rumbling for longer than normal and louder. Not doing anything demanding to cause hard disk activity like this so I was suspicious so I checked my process list with 'top' command in the console terminal. At the top was mount.ntfs running. Eventually it stopped running after 20 seconds or so. At the time I have not been accessing NTFS filesystems, but I do have them. I have a dual boot Ubuntu 10.04 and Windows 7. In Ubuntu I've mounted the Windows main C drive and on the same hard disk a partitioned drive for sharing files between the OSs. I know mount.ntfs is a standard program but was it being run on my machine, instigated externally here? Was the running of mount.ntfs an attempt from outside to hack into Ubuntu and the mounted Windows areas of my machine via a backdoor connection or vulnerability? I've restarted my machine since then. Are there any logs I can check for malicious attempts to break in?

View 9 Replies View Related

Security :: Ssh - Sshd Parameter To Set To Block Out User After Number Of Attempts Tp Login?

Apr 28, 2011

Is there an ssh or sshd parameter that can be set to block out a user after a set number of attempts tp login ?

View 1 Replies View Related

Security :: Invalid Login Attempts Not Refused Using Deny Hosts And Conf Of Denyhost Not Working?

Oct 28, 2010

I am using denyhosts on a server so in a config file/etc/denyhosts.confthe following value is setQuote:DENY_THRESHOLD_INVALID = 3which as per their configuration file saysQuote:

DENY_THRESHOLD_INVALID: block each host after the number of failed login
# attempts has exceeded this value. This value applies to invalid
# user login attempts (eg. non-existent user accounts)

[code]...

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved