Someone bypassing the router?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi, First of all, I know that here is an openSUSE forum, but I need
some help on this… I have a server (Red Hat) behind a linksys 54G v7
router and there are no port forwarding enabled. but I have logs like:

on /var/log/message:


Feb  2 09:24:08 apolo sshd(pam_unix)[28405]: check pass; user unknown
Feb  2 09:24:08 apolo sshd(pam_unix)[28405]: authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=66.7.215.216


http://foro.elhacker.net/dudas_generales/es_posible_que_esten_pasando_por_el_firewall_del_router-t318438.0.html#ixzz1CpQhBERF


on /var/log/secure:


Feb  2 09:24:11 apolo sshd[28405]: Failed password for invalid user
recruit from ::ffff:66.7.215.216 port 33994 ssh2
Feb  2 12:24:11 apolo sshd[28406]: Failed password for invalid user
recruit from ::ffff:66.7.215.216 port 33994 ssh2
Feb  2 12:24:11 apolo sshd[28406]: Received disconnect from
::ffff:66.7.215.216: 11: Bye Bye
Feb  2 09:24:12 apolo sshd[28407]: Invalid user alias from
::ffff:66.7.215.216
Feb  2 09:24:12 apolo sshd[28408]: input_userauth_request: invalid user
alias
Feb  2 09:24:12 apolo sshd[28407]: reverse mapping checking getaddrinfo
for 66-7-215-216.static.dimenoc.com failed - POSSIBLE BREAKIN ATTEMPT!
Feb  2 09:24:15 apolo sshd[28407]: Failed password for invalid user
alias from ::ffff:66.7.215.216 port 34192 ssh2
Feb  2 12:24:15 apolo sshd[28408]: Failed password for invalid user
alias from ::ffff:66.7.215.216 port 34192 ssh2
Feb  2 12:24:15 apolo sshd[28408]: Received disconnect from
::ffff:66.7.215.216: 11: Bye Bye
Feb  2 09:24:17 apolo sshd[28409]: Invalid user office from
::ffff:66.7.215.216
Feb  2 09:24:17 apolo sshd[28410]: input_userauth_request: invalid user
office
Feb  2 09:24:17 apolo sshd[28409]: reverse mapping checking getaddrinfo
for 66-7-215-216.static.dimenoc.com failed - POSSIBLE BREAKIN ATTEMPT!


http://foro.elhacker.net/dudas_generales/es_posible_que_esten_pasando_por_el_firewall_del_router-t318438.0.html#ixzz1CpQuMn8x


It is possible to reach the pc bypassing the router???


VampirD

Microsoft Windows is like air conditioning
Stops working when you open a window.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAk1JpiYACgkQJQ+0ABWtaVnk3QCgtbZvbtDjfCVqnCvAczR0+kWP
vdoAni5dUUfEIVBnoyZr+q7RGbGGSRPr
=/WMJ
-----END PGP SIGNATURE-----

On Wed, 02 Feb 2011 18:44:55 +0000, VampirD wrote:

> It is possible to reach the pc bypassing the router???

Check the port forwarding configuration and see if port 22 is being
redirected. I don’t know of a way to bypass port forwarding rules in a
router, you might ask in a forum specific to the Linksys router you’re
using to see if there’s some kind of known bug.

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

You can also use nmap and scan your external IP address for open ports to check which ports are actually open from the internet.

Am assuming by “router” you’re referriing to your Linksys and not your RH configured as a router. I note that your Linksys is a wireless router.

So, how is your PC configured, in a LAN or de-militarized zone? If it’s configured with a public IP address in a de-militarized zone then yes… if your wireless router is configured with weak security, ie. WEP or WPA using the default SSD which would expose you to rainbow table cracking in minutes, then someone could be attacking your Server directly and trying to SSH in.

If your PC is configured in a LAN zone, then the attacker is mis-configured or coming in the front door (the Internet). In this case you would still have to look at your wireless security (if the attacker is merely mis-configured) or Lynksys configuration and security (if the attacker is coming from the Internet).

The one thing that’s fairly certain is that you are being probed by someone.

Tony