Hi guys I keep seeing the following lines on my logs, I looked around and it was saying something about me trying to connect via ssh to another server and looping back.
The thing is Im not trying to connect to anything can any one help me understand what the following lines mean:
Sep 16 17:03:52 www sshd[15570]: reverse mapping checking getaddrinfo for 173-160-192-149-washington.hfc.comcastbusiness.net [173.160.192.149] failed - POSSIBLE BREAK-IN ATTEMPT!
Sep 16 17:03:52 www sshd[15570]: Invalid user admin from 173.160.192.149
Sep 16 17:03:53 www sshd[15572]: reverse mapping checking getaddrinfo for 173-160-192-149-washington.hfc.comcastbusiness.net [173.160.192.149] failed - POSSIBLE BREAK-IN ATTEMPT!
Sep 16 17:03:53 www sshd[15572]: Invalid user admin from 173.160.192.149
Sep 16 17:03:54 www sshd[15574]: reverse mapping checking getaddrinfo for 173-160-192-149-washington.hfc.comcastbusiness.net [173.160.192.149] failed - POSSIBLE BREAK-IN ATTEMPT!
Hi
In which log you have found it? Do you run any server on your box (http, ftp, etc)? And do you use any kind of dynamic DNS service?
From this you can tell that your machine is trying to scan ports and possibly brut force to 173.160.192.149, which is on Camcast network (looks like this IP leased to CBC-SEATTLE-17 ). (but I belive you already know it)
It would be nice if you could catch it with WireShark. It be easier to analyse those packets. Once a while I have similar traffic but it oginates from a remote location - mostly from California, Korea and China. I simply blocked IPs from Korea and China with iptables.
cheers
On 09/16/2010 03:36 PM, hgallo wrote:
>
> Hi guys I keep seeing the following lines on my logs, I looked around
> and it was saying something about me trying to connect via ssh to
> another server and looping back.
> The thing is Im not trying to connect to anything can any one help me
> understand what the following lines mean:
>
> Sep 16 17:03:52 www sshd[15570]: reverse mapping checking getaddrinfo
> for 173-160-192-149-washington.hfc.comcastbusiness.net [173.160.192.149]
> failed - POSSIBLE BREAK-IN ATTEMPT!
> Sep 16 17:03:52 www sshd[15570]: Invalid user admin from 173.160.192.149
Do you have a firewall between your computer and the internet? It’s not
a bad thing to put a little NATting router between your DSL or cable
modem and let it NAT your box. Makes it harder to access your box from
the outside. If they can’t see you, they can’t scan you unless you
explicitly open the ports on the firewall/router.
That sort of thing is pretty much par for the course if you are allowing ssh connections.
Best is to only ever login with public key authentication, and configure sshd_config so that only public key authentication is allowed. That does require that you set up keys as needed.
Once you restrict to public key authentication, they they aren’t going to be able to break in. So you don’t have to worry about it.
nrickert wrote:
> Once you restrict to public key authentication, they they aren’t going
> to be able to break in. So you don’t have to worry about it.
probably true if “they” are not a deep pocket (aka: government) backed
shop with crypto and petraFLOPS resources like the NSA and their ilk…
the log is from /var/log/messages and yes I am running an http server as well as a dns service. I wonder if it is my machine trying to brute force or if as the word states they are using reverse mapping to get some more information about my machine. I won’t be able to use wireshark it seems that my company had some holes in their firewall including ssh and It was just fixed lets see what happens next, if the attacks continue I will post a wireshark analysis. Thanks…
Yes I had suggested that many times, but some people who are also involved find it complicated. I have to suck it up and find other ways. Thanks everyone
> Yes I had suggested that many times, but some people who are also
> involved find it complicated. I have to suck it up and find other ways.
> Thanks everyone
There is a setting in the suse firewall that rejects the fourth failed attempt in a minute.
–
Cheers / Saludos,
Carlos E. R.
(from 11.2 x86_64 “Emerald” GM (Minas Tirith))
> the log is from /var/log/messages and yes I am running an http server
> as well as a dns service. I wonder if it is my machine trying to brute
> force or if as the word states they are using reverse mapping to get
> some more information about my machine.
No, it is your machine getting information about the attacker, and login it. I think it is comparing
the direct and reverse dns info, and seeing that they don’t match
> I won’t be able to use wireshark
> it seems that my company had some holes in their firewall including ssh
> and It was just fixed lets see what happens next, if the attacks
> continue I will post a wireshark analysis. Thanks…
Anybody having a server on the internet sees those
–
Cheers / Saludos,
Carlos E. R.
(from 11.2 x86_64 “Emerald” GM (Minas Tirith))
OK, so if you are running http server which is visable from outside then those records in your logs will grow You can compare those entries with http server logs (for Apache it be /var/log/apache2/access_log and error_log).
cheers
