jerome1232
August 1st, 2008, 01:53 AM
so I ran this today
cat /var/log/auth.log | grep fail | cat >auth
now looking at my file I have 300 KB file mostly made up of entires like this:
Jul 31 12:53:23 lampserver sshd[5619]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=host226-148-static.34-88-b.business.telecomitalia.it
Jul 31 12:53:27 lampserver sshd[5621]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=host226-148-static.34-88-b.business.telecomitalia.it
Jul 31 12:53:32 lampserver sshd[5623]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=host226-148-static.34-88-b.business.telecomitalia.it
Jul 31 12:53:36 lampserver sshd[5625]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=host226-148-static.34-88-b.business.telecomitalia.it
Jul 31 12:53:40 lampserver sshd[5627]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=host226-148-static.34-88-b.business.telecomitalia.it
and this:
Jul 22 22:18:39 lampserver sshd[11599]: reverse mapping checking getaddrinfo for abts-ncr-static-050.225.160.122.airtelbroadband.in [122.160.225.50] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 22 22:18:39 lampserver sshd[11599]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.160.225.50
Jul 22 22:18:44 lampserver sshd[11601]: reverse mapping checking getaddrinfo for abts-ncr-static-050.225.160.122.airtelbroadband.in [122.160.225.50] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 22 22:18:44 lampserver sshd[11601]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.160.225.50
Jul 22 22:18:48 lampserver sshd[11603]: reverse mapping checking getaddrinfo for abts-ncr-static-050.225.160.122.airtelbroadband.in [122.160.225.50] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 22 22:18:48 lampserver sshd[11603]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.160.225.50
I think I need to switch to a non standard port and disable password authentication. But before I do all that do those look like bot/malicious hits, 'cuz they do to me. (I don't recognize those ip's)
cat /var/log/auth.log | grep fail | cat >auth
now looking at my file I have 300 KB file mostly made up of entires like this:
Jul 31 12:53:23 lampserver sshd[5619]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=host226-148-static.34-88-b.business.telecomitalia.it
Jul 31 12:53:27 lampserver sshd[5621]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=host226-148-static.34-88-b.business.telecomitalia.it
Jul 31 12:53:32 lampserver sshd[5623]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=host226-148-static.34-88-b.business.telecomitalia.it
Jul 31 12:53:36 lampserver sshd[5625]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=host226-148-static.34-88-b.business.telecomitalia.it
Jul 31 12:53:40 lampserver sshd[5627]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=host226-148-static.34-88-b.business.telecomitalia.it
and this:
Jul 22 22:18:39 lampserver sshd[11599]: reverse mapping checking getaddrinfo for abts-ncr-static-050.225.160.122.airtelbroadband.in [122.160.225.50] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 22 22:18:39 lampserver sshd[11599]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.160.225.50
Jul 22 22:18:44 lampserver sshd[11601]: reverse mapping checking getaddrinfo for abts-ncr-static-050.225.160.122.airtelbroadband.in [122.160.225.50] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 22 22:18:44 lampserver sshd[11601]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.160.225.50
Jul 22 22:18:48 lampserver sshd[11603]: reverse mapping checking getaddrinfo for abts-ncr-static-050.225.160.122.airtelbroadband.in [122.160.225.50] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 22 22:18:48 lampserver sshd[11603]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.160.225.50
I think I need to switch to a non standard port and disable password authentication. But before I do all that do those look like bot/malicious hits, 'cuz they do to me. (I don't recognize those ip's)