Logwatch for linode01.ovirt.org (Linux)
################### Logwatch 7.3.6 (05/19/07) #################### Processing Initiated: Mon Sep 5 03:20:04 2011 Date Range Processed: yesterday ( 2011-Sep-04 ) Period is day. Detail Level of Output: 0 Type of Output: unformatted Logfiles for Host: linode01.ovirt.org ################################################################## --------------------- pam_unix Begin ------------------------ sshd: Authentication Failures: root (218.86.120.182): 1250 Time(s) unknown (218.86.120.182): 1 Time(s) Invalid Users: Unknown Account: 1 Time(s) ---------------------- pam_unix End ------------------------- --------------------- Postfix Begin ------------------------ 24.496K Bytes accepted 25,084 62.269K Bytes delivered 63,763 ======== ================================================ 7 Accepted 87.50% 1 Rejected 12.50% -------- ------------------------------------------------ 8 Total 100.00% ======== ================================================ 1 Reject unknown user 100.00% -------- ------------------------------------------------ 1 Total Rejects 100.00% ======== ================================================ 7 Connections made 7 Disconnections 7 Removed from queue 3 Delivered 14 Sent via SMTP ---------------------- Postfix End ------------------------- --------------------- SSHD Begin ------------------------ Failed logins from: 218.86.120.182 (182.120.86.218.other.sm.fj.dynamic.163data.com.cn): 1250 times Illegal users from: 218.86.120.182 (182.120.86.218.other.sm.fj.dynamic.163data.com.cn): 1 time Received disconnect: 11: Bye Bye : 1251 Time(s) **Unmatched Entries** reverse mapping checking getaddrinfo for 182.120.86.218.other.sm.fj.dynamic.163data.com.cn [218.86.120.182] failed - POSSIBLE BREAK-IN ATTEMPT! : 1251 time(s) ---------------------- SSHD End ------------------------- --------------------- Disk Space Begin ------------------------ Filesystem Size Used Avail Use% Mounted on /dev/xvda 9.9G 928M 8.8G 10% / ---------------------- Disk Space End ------------------------- ###################### Logwatch End #########################
--X8oaj2qX3NXXvcHN Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Sep 05, 2011 at 03:20:04AM -0400, logwatch@linode01.ovirt.org wrote:
=20 ################### Logwatch 7.3.6 (05/19/07) ####################=20 Processing Initiated: Mon Sep 5 03:20:04 2011 Date Range Processed: yesterday ( 2011-Sep-04 ) Period is day. Detail Level of Output: 0 Type of Output: unformatted Logfiles for Host: linode01.ovirt.org ##################################################################=20 =20 --------------------- pam_unix Begin ------------------------=20 =20 sshd: Authentication Failures: root (218.86.120.182): 1250 Time(s)
I think these sshd attacks are going to continue to grow, especially after we're not just a nameless IP address being scanned but an actual mail host. In the past what I've done is have sshd listen on a different port, then drop 22 at the firewall (with the other port open.) Seems to work to reduce the logging noise and machine time to keep saying "no" thousands of times a day. Requires sysadmin team to remember to use the not-normal port number (-P in 'ssh' and -p in 'scp'), which may mess with scripts and such. Something to consider if we want to do git+ssh on this or any host. Just some things to think about as we watch the log traffic ... - Karsten --=20 name: Karsten 'quaid' Wade, Sr. Community Gardener team: Red Hat Community Architecture & Leadership uri: http://communityleadershipteam.org http://TheOpenSourceWay.org gpg: AD0E0C41 --X8oaj2qX3NXXvcHN Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFOZrSZ2ZIOBq0ODEERAqCXAJ9BuGDCG+eb63sowxKVPGW5KUJYMQCfRGNa uRMlkdlmQJ0+HWETjg+kvlI= =Me0O -----END PGP SIGNATURE----- --X8oaj2qX3NXXvcHN--
participants (2)
-
Karsten Wade -
logwatch@lists.ovirt.org