From owner-freebsd-stable@FreeBSD.ORG Tue Nov 19 10:34:02 2013 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 643D67D9 for ; Tue, 19 Nov 2013 10:34:02 +0000 (UTC) Received: from mail-qc0-x229.google.com (mail-qc0-x229.google.com [IPv6:2607:f8b0:400d:c01::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 2838525B5 for ; Tue, 19 Nov 2013 10:34:02 +0000 (UTC) Received: by mail-qc0-f169.google.com with SMTP id u18so4728347qcx.28 for ; Tue, 19 Nov 2013 02:34:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=H4Lw6GEfExXB8gIlBSuhwMRRn89PnaVjw2AWQovnDeM=; b=Iyu7Yo+xSxWAmN2yupgRa+SJ9uSYHX3xa0Msb03LT//LpbWbR+LOW2/4dNUNXbhIv2 IYtWuoqB/njEecx1k+EuP8T40yyj4jdIIFRDqQgaIg0pfuLzZk+QkhCjWg1W9JsFQPhg 1Kt3TEMP+gMY++MNAZwr4F00AP0i94cGqOmpe36dNISuLcfFGuZTplKyauzYz1O5GM/n DnaWrC5qv4zH3f6Sl0+o2NHJ2yMa7+sfSgEU01krouYZG6n8nkky1Nsdst+6WhfdpYON 6AKV36rI9+N6ghmq+H8+DXqiMu/QsqrLKssrH+WIzTeeDF9BzXfech10kHJs2vlzYX02 1eHw== MIME-Version: 1.0 X-Received: by 10.229.137.135 with SMTP id w7mr41371930qct.14.1384857241312; Tue, 19 Nov 2013 02:34:01 -0800 (PST) Received: by 10.224.36.137 with HTTP; Tue, 19 Nov 2013 02:34:01 -0800 (PST) In-Reply-To: References: <20131119091459.3084ad63d079615a0ce31d18@mimar.rs> Date: Tue, 19 Nov 2013 10:34:01 +0000 Message-ID: Subject: Re: login failures From: krad To: Ronald Klop Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.16 Cc: freebsd-stable X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Nov 2013 10:34:02 -0000 I always have a firewall on a local machine as well as the network run firewall, maybe you should consider this. I also have a management interface on all boxes and ssh and any backup and monitoring daemons are bound to this interface. You could also look at removing the default route on the box and just putting in the static routes it needs. Any internet bound traffic you need (os updates etc) can go via a proxy. Simalarly with mysql only bind it to the required interface. These interfaces can of course be vlan ones and need not be physical On 19 November 2013 10:09, Ronald Klop wrote: > On Tue, 19 Nov 2013 09:14:59 +0100, Marko Cupa=C4=87 > wrote: > > I am getting a-mail with security run output from one of my 9.2-RELEASE >> servers whose primary role is mysql server: >> >> sql1.kappastar.com login failures: >> Nov 18 02:11:09 sql1 sshd[58619]: Invalid user this-is-not-an-attack >> from 188.95.234.6 Nov 18 02:11:17 sql1 sshd[58621]: Invalid user >> this-is-not-an-attack from 188.95.234.6 Nov 18 04:54:10 sql1 sshd >> [59190]: reverse mapping checking getaddrinfo for >> 189.26.255.11.static.gvt.net.br [189.26.255.11] failed - POSSIBLE >> BREAK-IN ATTEMPT! Nov 18 04:54:10 sql1 sshd[59190]: Invalid user info >> from 189.26.255.11 Nov 18 21:18:05 sql1 sshd[60883]: reverse mapping >> checking getaddrinfo for 210.213.119.53.pldt.net [210.213.119.53] >> failed - POSSIBLE BREAK-IN ATTEMPT! Nov 18 21:18:09 sql1 sshd[60885]: >> reverse mapping checking getaddrinfo for 210.213.119.53.pldt.net >> [210.213.119.53] failed - POSSIBLE BREAK-IN ATTEMPT! Nov 18 21:18:16 >> sql1 sshd[60887]: reverse mapping checking getaddrinfo for >> 210.213.119.53.pldt.net [210.213.119.53] failed - POSSIBLE BREAK-IN >> ATTEMPT! Nov 18 23:05:39 sql1 sshd[61075]: Invalid user ____ from >> 208.83.31.22 >> >> However, I do not see anything in auth.log. Also, this should not >> happen at all as this host is in DMZ behind the firewall which does not >> allow ssh connections to it. >> >> How should I start troubleshooting this? >> > > - double check your firewall. Do you log the allowed and blocked traffic? > - scan the network for unexpected traffic. > - are there more logs 'missing'? > > Ronald. > > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" >