Results 1 to 8 of 8

Thread: Auth.log entry question.

  1. #1
    Join Date
    May 2014
    Beans
    30

    Auth.log entry question.

    Here are a few entries in my Auth.log from today
    Code:
    May 23 00:39:25 mailhost sshd[15491]: Failed password for invalid user test from 85.72.245.159 port 49493 ssh2
    May 23 02:02:40 mailhost sshd[15832]: Failed password for root from 116.10.191.206 port 26427 ssh2
    May 23 04:48:27 mailhost sshd[16658]: reverse mapping checking getaddrinfo for 160.192.163.222.adsl-pool.jlccptt.net.cn [222.163.192.160] failed - POSSIBLE BREAK-IN ATTEMPT!
    May 23 04:48:27 mailhost sshd[16650]: Failed password for root from 222.163.192.160 port 39796 ssh2
    I'm wondering why sometimes it reports "POSSIBLE BREAK-IN ATTEMPT!" like in line 3, and other times, like in line 1,2, & 4, it doesn't. Seems like they are all break-in attempts, which I understand is not unusual, hence implementation of fail2ban. I'm just wondering what the difference is.
    Last edited by lisati; May 24th, 2014 at 06:30 AM. Reason: Replaced [quote] with [code] to aid readability

  2. #2
    Join Date
    Nov 2008
    Location
    Boston MetroWest
    Beans
    16,326

    Re: Auth.log entry question.

    It's a different type of problem. The forward and reverse DNS lookups for that host do not match:
    Code:
    $ host 222.163.192.160
    160.192.163.222.in-addr.arpa domain name pointer 160.192.163.222.adsl-pool.jlccptt.net.cn.
    $ host 160.192.163.222.adsl-pool.jlccptt.net.cn
    Host 160.192.163.222.adsl-pool.jlccptt.net.cn not found: 3(NXDOMAIN)
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  3. #3
    Join Date
    Jan 2014
    Beans
    Hidden!

    Re: Auth.log entry question.

    The difference is the event which triggered the message. An incorrect password isn't unusual... especially if you're a fat finger typist, but a failed reverse lookup would be unusual in a correctly configured system. edit: SeijiSensei is quicker than I
    Last edited by untrustytahr; May 23rd, 2014 at 06:49 PM.

  4. #4
    Join Date
    May 2014
    Beans
    30

    Re: Auth.log entry question.

    None the less, thank you both for your response!

  5. #5
    Join Date
    Jun 2007
    Location
    Paraparaumu, New Zealand
    Beans
    Hidden!

    Re: Auth.log entry question.

    Good idea looking into tools such as fail2ban.

    On a side note, 222.163.192.160 seems to have caught the attention of those who run cbl.abuseat.org - http://cbl.abuseat.org/lookup.cgi?ip=222.163.192.160
    Forum DOs and DON'Ts
    Please use CODE tags
    Including your email address in a post is not recommended
    My Blog

  6. #6
    Join Date
    Feb 2009
    Location
    Dallas, TX
    Beans
    7,790
    Distro
    Ubuntu 16.04 Xenial Xerus

    Re: Auth.log entry question.

    Oh boy
    Code:
    116.10.191.*
    Well know source of slow brute force attacks. They'll try every port, and the most common users (root, admin, etc).

    I'd recommend adding a rule of this sorts to your iptables:
    Code:
    iptables -A INPUT -s 116.10.191.0/24 -j DROP
    Just a thought.
    Regards.

  7. #7
    Join Date
    May 2014
    Beans
    30

    Re: Auth.log entry question.

    Good ideas, thanks. This guy shows how to config fail2ban to permanently ban repeat offenders. Not exactly beginner level, but VERY cool.

  8. #8
    Join Date
    Aug 2009
    Beans
    Hidden!

    Re: Auth.log entry question.

    Quote Originally Posted by vRanger View Post
    This guy shows how to config fail2ban to permanently ban repeat offenders.
    He could easily have dumped all those addresses in one single ipset and be done with it. No need to "pollute" the filter table or the fail2ban chain with that.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •