Date: Tue, 19 Nov 2013 11:09:46 +0100 From: "Ronald Klop" <ronald-freebsd8@klop.yi.org> To: freebsd-stable@freebsd.org Subject: Re: login failures Message-ID: <op.w6sjukm08527sy@ronaldradial> In-Reply-To: <20131119091459.3084ad63d079615a0ce31d18@mimar.rs> References: <20131119091459.3084ad63d079615a0ce31d18@mimar.rs>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 19 Nov 2013 09:14:59 +0100, Marko Cupać <marko.cupac@mimar.rs> wrote: > I am getting a-mail with security run output from one of my 9.2-RELEASE > servers whose primary role is mysql server: > > sql1.kappastar.com login failures: > Nov 18 02:11:09 sql1 sshd[58619]: Invalid user this-is-not-an-attack > from 188.95.234.6 Nov 18 02:11:17 sql1 sshd[58621]: Invalid user > this-is-not-an-attack from 188.95.234.6 Nov 18 04:54:10 sql1 sshd > [59190]: reverse mapping checking getaddrinfo for > 189.26.255.11.static.gvt.net.br [189.26.255.11] failed - POSSIBLE > BREAK-IN ATTEMPT! Nov 18 04:54:10 sql1 sshd[59190]: Invalid user info > from 189.26.255.11 Nov 18 21:18:05 sql1 sshd[60883]: reverse mapping > checking getaddrinfo for 210.213.119.53.pldt.net [210.213.119.53] > failed - POSSIBLE BREAK-IN ATTEMPT! Nov 18 21:18:09 sql1 sshd[60885]: > reverse mapping checking getaddrinfo for 210.213.119.53.pldt.net > [210.213.119.53] failed - POSSIBLE BREAK-IN ATTEMPT! Nov 18 21:18:16 > sql1 sshd[60887]: reverse mapping checking getaddrinfo for > 210.213.119.53.pldt.net [210.213.119.53] failed - POSSIBLE BREAK-IN > ATTEMPT! Nov 18 23:05:39 sql1 sshd[61075]: Invalid user ____ from > 208.83.31.22 > > However, I do not see anything in auth.log. Also, this should not > happen at all as this host is in DMZ behind the firewall which does not > allow ssh connections to it. > > How should I start troubleshooting this? - double check your firewall. Do you log the allowed and blocked traffic? - scan the network for unexpected traffic. - are there more logs 'missing'? Ronald.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?op.w6sjukm08527sy>