Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 19 Nov 2013 11:09:46 +0100
From:      "Ronald Klop" <ronald-freebsd8@klop.yi.org>
To:        freebsd-stable@freebsd.org
Subject:   Re: login failures
Message-ID:  <op.w6sjukm08527sy@ronaldradial>
In-Reply-To: <20131119091459.3084ad63d079615a0ce31d18@mimar.rs>
References:  <20131119091459.3084ad63d079615a0ce31d18@mimar.rs>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, 19 Nov 2013 09:14:59 +0100, Marko Cupać <marko.cupac@mimar.rs>  
wrote:

> I am getting a-mail with security run output from one of my 9.2-RELEASE
> servers whose primary role is mysql server:
>
> sql1.kappastar.com login failures:
> Nov 18 02:11:09 sql1 sshd[58619]: Invalid user this-is-not-an-attack
> from 188.95.234.6 Nov 18 02:11:17 sql1 sshd[58621]: Invalid user
> this-is-not-an-attack from 188.95.234.6 Nov 18 04:54:10 sql1 sshd
> [59190]: reverse mapping checking getaddrinfo for
> 189.26.255.11.static.gvt.net.br [189.26.255.11] failed - POSSIBLE
> BREAK-IN ATTEMPT! Nov 18 04:54:10 sql1 sshd[59190]: Invalid user info
> from 189.26.255.11 Nov 18 21:18:05 sql1 sshd[60883]: reverse mapping
> checking getaddrinfo for 210.213.119.53.pldt.net [210.213.119.53]
> failed - POSSIBLE BREAK-IN ATTEMPT! Nov 18 21:18:09 sql1 sshd[60885]:
> reverse mapping checking getaddrinfo for 210.213.119.53.pldt.net
> [210.213.119.53] failed - POSSIBLE BREAK-IN ATTEMPT! Nov 18 21:18:16
> sql1 sshd[60887]: reverse mapping checking getaddrinfo for
> 210.213.119.53.pldt.net [210.213.119.53] failed - POSSIBLE BREAK-IN
> ATTEMPT! Nov 18 23:05:39 sql1 sshd[61075]: Invalid user ____ from
> 208.83.31.22
>
> However, I do not see anything in auth.log. Also, this should not
> happen at all as this host is in DMZ behind the firewall which does not
> allow ssh connections to it.
>
> How should I start troubleshooting this?

- double check your firewall. Do you log the allowed and blocked traffic?
- scan the network for unexpected traffic.
- are there more logs 'missing'?

Ronald.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?op.w6sjukm08527sy>