login failures
Ronald Klop
ronald-freebsd8 at klop.yi.org
Tue Nov 19 10:25:31 UTC 2013
On Tue, 19 Nov 2013 09:14:59 +0100, Marko Cupać <marko.cupac at mimar.rs>
wrote:
> I am getting a-mail with security run output from one of my 9.2-RELEASE
> servers whose primary role is mysql server:
>
> sql1.kappastar.com login failures:
> Nov 18 02:11:09 sql1 sshd[58619]: Invalid user this-is-not-an-attack
> from 188.95.234.6 Nov 18 02:11:17 sql1 sshd[58621]: Invalid user
> this-is-not-an-attack from 188.95.234.6 Nov 18 04:54:10 sql1 sshd
> [59190]: reverse mapping checking getaddrinfo for
> 189.26.255.11.static.gvt.net.br [189.26.255.11] failed - POSSIBLE
> BREAK-IN ATTEMPT! Nov 18 04:54:10 sql1 sshd[59190]: Invalid user info
> from 189.26.255.11 Nov 18 21:18:05 sql1 sshd[60883]: reverse mapping
> checking getaddrinfo for 210.213.119.53.pldt.net [210.213.119.53]
> failed - POSSIBLE BREAK-IN ATTEMPT! Nov 18 21:18:09 sql1 sshd[60885]:
> reverse mapping checking getaddrinfo for 210.213.119.53.pldt.net
> [210.213.119.53] failed - POSSIBLE BREAK-IN ATTEMPT! Nov 18 21:18:16
> sql1 sshd[60887]: reverse mapping checking getaddrinfo for
> 210.213.119.53.pldt.net [210.213.119.53] failed - POSSIBLE BREAK-IN
> ATTEMPT! Nov 18 23:05:39 sql1 sshd[61075]: Invalid user ____ from
> 208.83.31.22
>
> However, I do not see anything in auth.log. Also, this should not
> happen at all as this host is in DMZ behind the firewall which does not
> allow ssh connections to it.
>
> How should I start troubleshooting this?
- double check your firewall. Do you log the allowed and blocked traffic?
- scan the network for unexpected traffic.
- are there more logs 'missing'?
Ronald.
More information about the freebsd-stable
mailing list