Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : someone is scanning my server

[neorder]

will you consider this is normal?

i recieved 107 email from my Broute Force Dection software this morning, it reported someone is trying to use different combination of user name and password to get into my server.

all emails are showing something like below except the user name they tried to get in is different.

Quote:

Jun 6 04:43:38 apple sshd[9215]: Illegal user support from 211.48.20.163
Jun 6 04:43:40 sv2 sshd[9209]: Failed password for illegal user support from
211.48.20.163 port 58502 ssh2

again, from my logwatch report i found:

Quote:

--------------------- SSHD Begin ------------------------

Argument "fw1" isn't numeric in numeric comparison (<=>) at
/etc/log.d//lib/Logwatch.pm line 233, <STDIN> line 39.
Argument "3essentials" isn't numeric in numeric comparison (<=>) at
/etc/log.d//lib/Logwatch.pm line 233, <STDIN> line 39.

in the end of my logwatch email:

Quote:

Scanned from these:
fw1.3essentials.com (66.179.167.245)
fw1.3essentials.com (66.179.167.245)
fw1.3essentials.com (66.179.167.245)
fw1.3essentials.com (66.179.167.245)
fw1.3essentials.com (66.179.167.245)
fw1.3essentials.com (66.179.167.245)
fw1.3essentials.com (66.179.167.245)

**Unmatched Entries**
sshd -HUP succeeded

i use directadmin and disabled end users' SSH access, if you have recieved above information, what would you do? i'm not so confident if i'm safe now...

btw, 3essentials.com is a web hosting company as well, is it alright a host scan another host?

[BizB]

email there admin and block there ip from your ssh port "dont block them totaly so you can recive there replay to your email"
it could be a hacked account on there server and its beeing used to hack other servers.

[pizzaboy_au]

Quote:

Jun 6 04:43:38 apple sshd[9215]: Illegal user support from 211.48.20.163
Jun 6 04:43:40 sv2 sshd[9209]: Failed password for illegal user support from
211.48.20.163 port 58502 ssh2

I had the same ip scanning my boxes. It is a hacked box in korea. The ip resolves to www.7view.com . I have sent an email to the admins however i do not expect anything back from them. It kept scanning my boxes from 6:00am to 6:24am for 2 days in a row. I got 357 emails the first day from BFD.

All you can do is ban the ip address.

[Informity]

just block the IP from your machine.

It's most likely just some script kiddie screwing about with a compromised server (or their own computer if they're stupid)

[pizzaboy_au]

Quote:

Argument "fw1" isn't numeric in numeric comparison (<=> ) at
/etc/log.d//lib/Logwatch.pm line 233, <STDIN> line 39.
Argument "3essentials" isn't numeric in numeric comparison (<=> ) at
/etc/log.d//lib/Logwatch.pm line 233, <STDIN> line 39.

In regards to this is logwatch installed properly.
Did you ever get the above quotes in your email before the BFD emails started to arrive?

Quote:

3essentials.com is a web hosting company as well, is it alright a host scan another host?

Usually hosts do not scan other webhosters computers unless they have been comprimised.

[Daniel53]

Block the IP address for your SSH port (default 22) and e-mail the admin. If you dont get any response, I'd go ahead and block the whole IP. It's probably a hacked box, not the actual web-company trying to scan you.

[SiSHCO]

Also change to SSH port to 1000 or something like that. They never know that : ). And of course block ip address.