PermitRootLogin is already set to no and I have Fail2Ban installed and
configured.
I also have iptables set to allow traffic to only 80, 443, 22 and ping.
The whois resolves to a shady looking mail provider in Luxembourg. This appears
to be administered from a domain ID shield service in Kowloon. A CentralOps
check threw up another IP address but that should pints to a Plesk control
panel login screen. A second IP address that started this afternoon resolves to
a company in Beijing.
It looks like some sort of automated script. I perhaps need to re-visit
Fail2Ban and check that I've set it up properly.
Stu
________________________________
From: Martin Nix <mar...@nixes.net>
To: Stuart Bird <e_tect...@yahoo.co.uk>; Peterborough LUG - No commercial posts
<peterboro@mailman.lug.org.uk>
Sent: Saturday, 18 August 2012, 19:04
Subject: Re: [Peterboro] Should I Be Worried?
You might want to look at disabling root ssh login as a precaution (should be
disabled always on any exposed system), look in /etc/ssh/sshd_config
(typically) for :
PermitRootLogin no
Also you might want to consider using a targetted firewall approach with
something like Fail2Ban which I have found very effective
Martin
On 18 August 2012 18:32, Stuart Bird <e_tect...@yahoo.co.uk> wrote:
Hi All
>
>
>Could anyone cast an eye over the following log entries and tell me if this is
>just script kiddie stuff, or whether I should be more concerned?
>
>
>The entries are from my "auth.log" file on an Ubuntu 12.04 server (vps). The
>server hosts one web site at the moment. It's been up for about three months
>now, but these entries have only started over the last couple of days.
>
>
> Aug 18 08:05:56 localhost sshd[11478]: Address 94.242.250.53 maps to
>mail.smtpdestek.com, but this does not map back to the address - POSSIBLE
>BREAK-IN ATTEMPT!
>Aug 18 08:05:56 localhost sshd[11478]: pam_unix(sshd:auth): authentication
>failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=94.242.250.53 user=root
>Aug 18 08:05:58 localhost sshd[11478]: Failed password for root from
>94.242.250.53 port 47297 ssh2
>Aug 18 08:05:58 localhost sshd[11478]: Received disconnect from 94.242.250.53:
>11: Bye Bye [preauth]
>Aug 18 08:05:59 localhost sshd[11480]: Address 94.242.250.53 maps to
>mail.smtpdestek.com, but this does not map back to the address - POSSIBLE
>BREAK-IN ATTEMPT!
>Aug 18 08:05:59 localhost sshd[11480]: Invalid user sniff from 94.242.250.53
>Aug 18 08:05:59 localhost sshd[11480]: input_userauth_request: invalid user
>sniff [preauth]
>Aug 18 08:05:59 localhost sshd[11480]: pam_unix(sshd:auth): check pass; user
>unknown
>Aug 18 08:05:59 localhost sshd[11480]: pam_unix(sshd:auth): authentication
>failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=94.242.250.53
>Aug 18 08:06:01 localhost sshd[11480]: Failed password for invalid user sniff
>from 94.242.250.53 port 47551 ssh2
>Aug 18 08:06:01 localhost sshd[11480]: Received disconnect from 94.242.250.53:
>11: Bye Bye [preauth]
>Aug 18 08:06:01 localhost sshd[11482]: Address 94.242.250.53 maps to
>mail.smtpdestek.com, but this does not map back to the address - POSSIBLE
>BREAK-IN ATTEMPT!
>Aug 18 08:06:01 localhost sshd[11482]: pam_unix(sshd:auth): authentication
>failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=94.242.250.53 user=root
>Aug 18 08:06:03 localhost sshd[11482]: Failed password for root from
>94.242.250.53 port 47767 ssh2
>Aug 18 08:06:03 localhost sshd[11482]: Received disconnect from 94.242.250.53:
>11: Bye Bye [preauth]
>Aug 18 08:06:03 localhost sshd[11484]: Address 94.242.250.53 maps to
>mail.smtpdestek.com, but this does not map back to the address - POSSIBLE
>BREAK-IN ATTEMPT!
>Aug 18 08:06:03 localhost sshd[11484]: Invalid user ranger from 94.242.250.53
>Aug 18 08:06:03 localhost sshd[11484]: input_userauth_request: invalid user
>ranger [preauth]
>Aug 18 08:06:03 localhost sshd[11484]: pam_unix(sshd:auth): check pass; user
>unknown
>Aug 18 08:06:03 localhost sshd[11484]: pam_unix(sshd:auth): authentication
>failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=94.242.250.53
>Aug 18 08:06:05 localhost sshd[11484]: Failed password for invalid user ranger
>from 94.242.250.53 port 47988 ssh2
>Aug 18 08:06:05 localhost sshd[11484]: Received disconnect from 94.242.250.53:
>11: Bye Bye [preauth]
>Aug 18 08:06:05 localhost sshd[11486]: Address 94.242.250.53 maps to
>mail.smtpdestek.com, but this does not map back to the address - POSSIBLE
>BREAK-IN ATTEMPT!
>
>
>Any advice appreciated!
>
>
>Stu
>
>
>_______________________________________________
>Peterboro mailing list
>Peterboro@mailman.lug.org.uk
>https://mailman.lug.org.uk/mailman/listinfo/peterboro
>
_______________________________________________
Peterboro mailing list
Peterboro@mailman.lug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/peterboro
_______________________________________________
Peterboro mailing list
Peterboro@mailman.lug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/peterboro
