Results 1 to 6 of 6
11-10-2004, 07:21 PM #1craddyGuest
worrying log files (email from bfd)
I have BFD installed and i just got some emails about:
The remote system 184.108.40.206 was found to have exceeded acceptable login failures on p15170153 pureserver info
the other two were simmilar but from a different IP.
Should i be worried about this? The second looks like someone trying to login to the server trying all the users? How do i check the integrity of the server?
Any advice on what to do?
Last edited by craddy; 11-11-2004 at 08:31 AM.
11-10-2004, 09:46 PM #2bliksterCGuest
hello craddy Welcome to WHC!
You should review the IPs to make sure they are not from any of your clients. You can log in and view /var/log/secure and see what's the login that was being attempted. BFD should block the IP automatically but if you have APF you can block the IPs.Code:
apf -d 220.127.116.11
11-11-2004, 05:22 AM #3craddyGuest
Thanks for the help! They are deffinatly not clients as the server is only 2 days old and has no clients! I have run chkrootkit and rkhunter and they showed up nothing so that is a relief, but there was another "attack" during the night (I'm in England so the time is all out).
Apart from the APF and BFD (and rkhunter) do you have any other scripts/programmes you would reccomend I install?
11-11-2004, 11:39 AM #4bliksterCGuest
Aside from APF and BFD there isn't much you can do. You will get this everyday and you can't stop attempted logins. Just make sure your logins are all a mix of digits and letters. Don't give anyone passwords that are a dictionary words or only numbers.
11-11-2004, 02:06 PM #5craddyGuest
So this is expected, as long as the sshd log only shows logins that are me (or another legit. user) then I'm OK? Cheers for the input!
11-11-2004, 03:09 PM #6bliksterCGuest
Good luck! Hope you enjoy WHC!