Date: Tue, 19 Nov 2013 10:34:01 +0000 From: krad <kraduk@gmail.com> To: Ronald Klop <ronald-freebsd8@klop.yi.org> Cc: freebsd-stable <freebsd-stable@freebsd.org> Subject: Re: login failures Message-ID: <CALfReydaAoU-iXAe2y5WugFMY2pJNBVx0q2w76o=iGLdPcHV0Q@mail.gmail.com> In-Reply-To: <op.w6sjukm08527sy@ronaldradial> References: <20131119091459.3084ad63d079615a0ce31d18@mimar.rs> <op.w6sjukm08527sy@ronaldradial>
next in thread | previous in thread | raw e-mail | index | archive | help
I always have a firewall on a local machine as well as the network run firewall, maybe you should consider this. I also have a management interface on all boxes and ssh and any backup and monitoring daemons are bound to this interface. You could also look at removing the default route on the box and just putting in the static routes it needs. Any internet bound traffic you need (os updates etc) can go via a proxy. Simalarly with mysql only bind it to the required interface. These interfaces can of course be vlan ones and need not be physical On 19 November 2013 10:09, Ronald Klop <ronald-freebsd8@klop.yi.org> wrote: > On Tue, 19 Nov 2013 09:14:59 +0100, Marko Cupa=C4=87 <marko.cupac@mimar.r= s> > wrote: > > I am getting a-mail with security run output from one of my 9.2-RELEASE >> servers whose primary role is mysql server: >> >> sql1.kappastar.com login failures: >> Nov 18 02:11:09 sql1 sshd[58619]: Invalid user this-is-not-an-attack >> from 188.95.234.6 Nov 18 02:11:17 sql1 sshd[58621]: Invalid user >> this-is-not-an-attack from 188.95.234.6 Nov 18 04:54:10 sql1 sshd >> [59190]: reverse mapping checking getaddrinfo for >> 189.26.255.11.static.gvt.net.br [189.26.255.11] failed - POSSIBLE >> BREAK-IN ATTEMPT! Nov 18 04:54:10 sql1 sshd[59190]: Invalid user info >> from 189.26.255.11 Nov 18 21:18:05 sql1 sshd[60883]: reverse mapping >> checking getaddrinfo for 210.213.119.53.pldt.net [210.213.119.53] >> failed - POSSIBLE BREAK-IN ATTEMPT! Nov 18 21:18:09 sql1 sshd[60885]: >> reverse mapping checking getaddrinfo for 210.213.119.53.pldt.net >> [210.213.119.53] failed - POSSIBLE BREAK-IN ATTEMPT! Nov 18 21:18:16 >> sql1 sshd[60887]: reverse mapping checking getaddrinfo for >> 210.213.119.53.pldt.net [210.213.119.53] failed - POSSIBLE BREAK-IN >> ATTEMPT! Nov 18 23:05:39 sql1 sshd[61075]: Invalid user ____ from >> 208.83.31.22 >> >> However, I do not see anything in auth.log. Also, this should not >> happen at all as this host is in DMZ behind the firewall which does not >> allow ssh connections to it. >> >> How should I start troubleshooting this? >> > > - double check your firewall. Do you log the allowed and blocked traffic? > - scan the network for unexpected traffic. > - are there more logs 'missing'? > > Ronald. > > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CALfReydaAoU-iXAe2y5WugFMY2pJNBVx0q2w76o=iGLdPcHV0Q>