security issues
My security precautions for my webserver are probably what you might
call 'fair-to-middling'. Anyway, I'm trying to work out if I should be
worried by what I'm seeing in my logs.
I've got a webserver at a hosting service so I can't just unplug my
machine from the net. All I've done so far is change my password.
A routine check at 5:00AM (12 hours ago my time) by netstat --tcp -pa
contained these lines:
tcp 0 0 hardyaa1.miniserver:ssh 58.20.53.8:2745 SYN_RECV -
tcp 0 464 69.10.152.114:ssh 58.20.53.8:32891 ESTABLISHED
30191/sshd
So I thought it was someone logged in via ssh.
I checked the logs, and I saw that the auth.log has got many entries
like this every 2 seconds or so:
Nov 13 03:59:28 hardyaa1 sshd[23614]: Connection from 58.20.53.8 port 23907
Nov 13 03:59:29 hardyaa1 sshd[23614]: debug1: Client protocol version
2.0; client software version libssh-0.1
Nov 13 03:59:29 hardyaa1 sshd[23614]: debug1: no match: libssh-0.1
Nov 13 03:59:29 hardyaa1 sshd[23614]: Enabling compatibility mode for
protocol 2.0
Nov 13 03:59:29 hardyaa1 sshd[23614]: debug1: Local version string
SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3
Nov 13 03:59:30 hardyaa1 sshd[23614]: debug1: Starting up PAM with
username "NOUSER"
Nov 13 03:59:30 hardyaa1 sshd[23614]: Could not reverse map address
58.20.53.8.
Nov 13 03:59:30 hardyaa1 sshd[23614]: debug1: PAM setting rhost to
"58.20.53.8"
Nov 13 03:59:30 hardyaa1 sshd[23614]: debug1: Calling cleanup 0x8052b48(0x0)
Nov 13 03:59:30 hardyaa1 sshd[23614]: debug1: Calling cleanup 0x806be5c(0x0)
I don't think the attacker gained access, but I would like some sort of
mechanism that would cause the OS to email me whenever someone logs in -
which is going to be less than once a day.
I figure that the attacker would be unable to stop me being informed at
that point.
Any other sane advice would be welcome,
thanks
Adam
Reply to: