Results 1 to 8 of 8

Thread: log full of "POSSIBLE BREAK-IN ATTEMPT!"

  1. June 2nd, 2011 #1
    m-momr
    m-momr is offline 5 Cups of Ubuntu
    Join Date
    Dec 2008
    Beans
    18
    Distro
    Ubuntu 10.10 Maverick Meerkat

    log full of "POSSIBLE BREAK-IN ATTEMPT!"

    Is this normal when you run a ssh server on port 22?


    Code:
    May 29 13:05:53 tux sshd[15365]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=79.113.0.243 
May 29 13:05:56 tux sshd[15365]: Failed password for invalid user matt from 79.113.0.243 port 38155 ssh2
May 29 13:05:57 tux sshd[15367]: reverse mapping checking getaddrinfo for 79-113-0-243.rdsnet.ro [79.113.0.243] failed - POSSIBLE BREAK-IN ATTEMPT!
May 29 13:05:57 tux sshd[15367]: Invalid user matt from 79.113.0.243
May 29 13:05:57 tux sshd[15367]: pam_unix(sshd:auth): check pass; user unknown
May 29 13:05:57 tux sshd[15367]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=79.113.0.243 
May 29 13:05:58 tux sshd[15367]: Failed password for invalid user matt from 79.113.0.243 port 38522 ssh2
May 29 13:05:59 tux sshd[15369]: reverse mapping checking getaddrinfo for 79-113-0-243.rdsnet.ro [79.113.0.243] failed - POSSIBLE BREAK-IN ATTEMPT!
May 29 13:05:59 tux sshd[15369]: Invalid user monica from 79.113.0.243
May 29 13:05:59 tux sshd[15369]: pam_unix(sshd:auth): check pass; user unknown
May 29 13:05:59 tux sshd[15369]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=79.113.0.243 
May 29 13:06:01 tux sshd[15369]: Failed password for invalid user monica from 79.113.0.243 port 38830 ssh2
May 29 13:06:02 tux sshd[15371]: reverse mapping checking getaddrinfo for 79-113-0-243.rdsnet.ro [79.113.0.243] failed - POSSIBLE BREAK-IN ATTEMPT!
May 29 13:06:02 tux sshd[15371]: Invalid user monica from 79.113.0.243
May 29 13:06:02 tux sshd[15371]: pam_unix(sshd:auth): check pass; user unknown
May 29 13:06:02 tux sshd[15371]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=79.113.0.243 
May 29 13:06:04 tux sshd[15371]: Failed password for invalid user monica from 79.113.0.243 port 39226 ssh2
May 29 13:06:04 tux sshd[15373]: reverse mapping checking getaddrinfo for 79-113-0-243.rdsnet.ro [79.113.0.243] failed - POSSIBLE BREAK-IN ATTEMPT!
May 29 13:06:04 tux sshd[15373]: Invalid user monica from 79.113.0.243
May 29 13:06:04 tux sshd[15373]: pam_unix(sshd:auth): check pass; user unknown
May 29 13:06:04 tux sshd[15373]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=79.113.0.243 
May 29 13:06:06 tux sshd[15373]: Failed password for invalid user monica from 79.113.0.243 port 39625 ssh2
May 29 13:06:07 tux sshd[15375]: reverse mapping checking getaddrinfo for 79-113-0-243.rdsnet.ro [79.113.0.243] failed - POSSIBLE BREAK-IN ATTEMPT!
May 29 13:06:07 tux sshd[15375]: Invalid user nicole from 79.113.0.243
May 29 13:06:07 tux sshd[15375]: pam_unix(sshd:auth): check pass; user unknown
May 29 13:06:07 tux sshd[15375]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=79.113.0.243 
May 29 13:06:08 tux sshd[15375]: Failed password for invalid user nicole from 79.113.0.243 port 39962 ssh2
May 29 13:06:09 tux sshd[15377]: reverse mapping checking getaddrinfo for 79-113-0-243.rdsnet.ro [79.113.0.243] failed - POSSIBLE BREAK-IN ATTEMPT!
    Advanced reply Adv Reply  
  2. June 2nd, 2011 #2
    CharlesA's Avatar
    CharlesA
    CharlesA is offline What are you planning?
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 16.04 Xenial Xerus

    Re: log full of "POSSIBLE BREAK-IN ATTEMPT!"

    The invalid logins are normal, since there are bots that try to bruteforce servers.

    As for the "possible break-in attempt" message, The system is trying to do a reverse DNS lookup to match the connecting IP with the hostname that is trying to connect and fails to do so.

    The setting that controls that is "UseDNS" in /etc/ssh/sshd_config

    I checked on my install of 10.04, and that setting wasn't listed in sshd_config. Check yours to see what it says.

    See here.
    Last edited by CharlesA; June 2nd, 2011 at 12:32 AM.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...
    Advanced reply Adv Reply  
  3. June 2nd, 2011 #3
    jramshu's Avatar
    jramshu
    jramshu is offline Tea Glorious Tea!
    Join Date
    Feb 2011
    Beans
    Hidden!
    Distro
    Ubuntu 10.10 Maverick Meerkat

    Re: log full of "POSSIBLE BREAK-IN ATTEMPT!"

    I get that too, then DenyHosts blacklists the ip.

    Looks like you have passwordauthentication set to yes.
    You may want to generate a key and disable password auth.
    Advanced reply Adv Reply  
  4. June 2nd, 2011 #4
    m-momr
    m-momr is offline 5 Cups of Ubuntu
    Join Date
    Dec 2008
    Beans
    18
    Distro
    Ubuntu 10.10 Maverick Meerkat

    Re: log full of "POSSIBLE BREAK-IN ATTEMPT!"

    I use rsa cert. for logon from my laptop, its nice to be able to log on with passwd from my windows desktop that does not have a encrypted directory for keys


    can i block 10 invalid password attempts for lets say 2 hours?
    Last edited by m-momr; June 2nd, 2011 at 10:20 PM.
    Advanced reply Adv Reply  
  5. June 2nd, 2011 #5
    CharlesA's Avatar
    CharlesA
    CharlesA is offline What are you planning?
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 16.04 Xenial Xerus

    Re: log full of "POSSIBLE BREAK-IN ATTEMPT!"

    Quote Originally Posted by m-momr View Post
    I use rsa cert. for logon from my laptop, its nice to be able to log on with passwd from my windows desktop that does not have a encrypted directory for keys
    You can use keys with Putty.


    can i block 10 invalid password attempts for lets say 2 hours?
    Look into iptables. http://bodhizazen.net/Tutorials/iptables
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...
    Advanced reply Adv Reply  
  6. June 2nd, 2011 #6
    bodhi.zazen's Avatar
    bodhi.zazen
    bodhi.zazen is offline Walking moon
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: log full of "POSSIBLE BREAK-IN ATTEMPT!"

    Covered on this page as well:

    http://bodhizazen.net/Tutorials/SSH_security
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface
    Advanced reply Adv Reply  
  7. June 3rd, 2011 #7
    jramshu's Avatar
    jramshu
    jramshu is offline Tea Glorious Tea!
    Join Date
    Feb 2011
    Beans
    Hidden!
    Distro
    Ubuntu 10.10 Maverick Meerkat

    Re: log full of "POSSIBLE BREAK-IN ATTEMPT!"

    Used these tutorials to set mine up. They are easy to understand.

    Still learning iptables, when I have time. Seems like a better way to go than using DenyHosts.
    Advanced reply Adv Reply  
  8. June 3rd, 2011 #8
    m-momr
    m-momr is offline 5 Cups of Ubuntu
    Join Date
    Dec 2008
    Beans
    18
    Distro
    Ubuntu 10.10 Maverick Meerkat

    Re: log full of "POSSIBLE BREAK-IN ATTEMPT!"

    Thanks everyone
    Advanced reply Adv Reply  
« Previous Thread | Next Thread »

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Ubuntu Forums Code of Conduct