Results 1 to 8 of 8
  1. #1

    I see this everytime on my logs

    I see a list like this everyday on my logs does this mean some one is trying to get access to my root account and this are the passes that they are trying ........

    Code:
    --------------------- SSHD Begin ------------------------
    Failed logins from these:
        account/password from 203.204.135.11: 3 Time(s)
        adam/password from 203.204.135.11: 3 Time(s)
        adm/password from 203.204.135.11: 6 Time(s)
        admin/password from 207.101.220.162: 2 Time(s)
        alan/password from 203.204.135.11: 3 Time(s)
        anonymous/password from 84.244.0.130: 4 Time(s)
        apache/password from 203.204.135.11: 3 Time(s)
        backup/password from 203.204.135.11: 3 Time(s)
        chuck/password from 84.244.0.130: 2 Time(s)
        cip51/password from 203.204.135.11: 3 Time(s)
        cip52/password from 203.204.135.11: 3 Time(s)
        cosmin/password from 203.204.135.11: 3 Time(s)
        cyrus/password from 203.204.135.11: 3 Time(s)
        darkman/password from 84.244.0.130: 1 Time(s)
        data/password from 203.204.135.11: 3 Time(s)
        frank/password from 203.204.135.11: 3 Time(s)
        george/password from 203.204.135.11: 3 Time(s)
        guest/password from 207.101.220.162: 1 Time(s)
        henry/password from 203.204.135.11: 3 Time(s)
        horde/password from 203.204.135.11: 3 Time(s)
        hostmaster/password from 84.244.0.130: 1 Time(s)
        iceuser/password from 203.204.135.11: 3 Time(s)
        irc/password from 203.204.135.11: 6 Time(s)
        jane/password from 203.204.135.11: 3 Time(s)
        jeffrey/password from 84.244.0.130: 1 Time(s)
        john/password from 203.204.135.11: 3 Time(s)
        jordan/password from 84.244.0.130: 2 Time(s)
        kee/password from 218.188.2.4: 3 Time(s)
        kees/password from 218.188.2.4: 3 Time(s)
        keith/password from 218.188.2.4: 3 Time(s)
        kelly/password from 218.188.2.4: 3 Time(s)
        kelvin/password from 218.188.2.4: 3 Time(s)
        kemal/password from 218.188.2.4: 3 Time(s)
        ken/password from 218.188.2.4: 3 Time(s)
        kenn/password from 218.188.2.4: 3 Time(s)
        kenneth/password from 218.188.2.4: 3 Time(s)
        kent/password from 218.188.2.4: 3 Time(s)
        kenton/password from 218.188.2.4: 3 Time(s)
        kerri/password from 218.188.2.4: 3 Time(s)
        kerry/password from 218.188.2.4: 3 Time(s)
        kevan/password from 218.188.2.4: 3 Time(s)
        kevin/password from 218.188.2.4: 3 Time(s)
        kevyn/password from 218.188.2.4: 3 Time(s)
        kieran/password from 218.188.2.4: 3 Time(s)
        kiki/password from 218.188.2.4: 3 Time(s)
        kikki/password from 218.188.2.4: 3 Time(s)
        kim/password from 218.188.2.4: 3 Time(s)
        kimberly/password from 218.188.2.4: 3 Time(s)
        kimmo/password from 218.188.2.4: 3 Time(s)
        kinch/password from 218.188.2.4: 3 Time(s)
        king/password from 218.188.2.4: 3 Time(s)
        kirk/password from 218.188.2.4: 3 Time(s)
        kit/password from 218.188.2.4: 3 Time(s)
        kitty/password from 218.188.2.4: 3 Time(s)
        klaudia/password from 218.188.2.4: 3 Time(s)
        klaus/password from 218.188.2.4: 3 Time(s)
        knapper/password from 218.188.2.4: 3 Time(s)
        knudsen/password from 218.188.2.4: 3 Time(s)
        knut/password from 218.188.2.4: 3 Time(s)
        knute/password from 218.188.2.4: 3 Time(s)
        kolkka/password from 218.188.2.4: 3 Time(s)
        konrad/password from 218.188.2.4: 3 Time(s)
        master/password from 203.204.135.11: 3 Time(s)
        matt/password from 203.204.135.11: 3 Time(s)
        michael/password from 84.244.0.130: 1 Time(s)
        mysql/password from 203.204.135.11: 3 Time(s)
        nicole/password from 84.244.0.130: 1 Time(s)
        nobody/password from 203.204.135.11: 5 Time(s)
        noc/password from 203.204.135.11: 3 Time(s)
        operator/password from 203.204.135.11: 3 Time(s)
        oracle/password from 203.204.135.11: 3 Time(s)
        pamela/password from 203.204.135.11: 3 Time(s)
        passwd/password from 84.244.0.130: 3 Time(s)
        patrick/password from 203.204.135.11: 6 Time(s)
        rolo/password from 203.204.135.11: 3 Time(s)
        root/password from 203.204.135.11: 177 Time(s)
        root/password from 207.101.220.162: 3 Time(s)
        server/password from 203.204.135.11: 3 Time(s)
        sybase/password from 203.204.135.11: 3 Time(s)
        test/password from 203.204.135.11: 15 Time(s)
        test/password from 207.101.220.162: 2 Time(s)
        user/password from 203.204.135.11: 9 Time(s)
        user/password from 207.101.220.162: 1 Time(s)
        web/password from 203.204.135.11: 6 Time(s)
        webmaster/password from 203.204.135.11: 3 Time(s)
        www-data/password from 203.204.135.11: 3 Time(s)
        www/password from 203.204.135.11: 3 Time(s)
        wwwrun/password from 203.204.135.11: 3 Time(s)
     
     Illegal users from these:
        account/none from 203.204.135.11: 3 Time(s)
        account/password from 203.204.135.11: 3 Time(s)
        adam/none from 203.204.135.11: 3 Time(s)
        adam/password from 203.204.135.11: 3 Time(s)
        admin/none from 207.101.220.162: 2 Time(s)
        admin/password from 207.101.220.162: 2 Time(s)
        alan/none from 203.204.135.11: 3 Time(s)
        alan/password from 203.204.135.11: 3 Time(s)
        anonymous/none from 84.244.0.130: 4 Time(s)
        anonymous/password from 84.244.0.130: 4 Time(s)
        backup/none from 203.204.135.11: 3 Time(s)
        backup/password from 203.204.135.11: 3 Time(s)
        chuck/none from 84.244.0.130: 2 Time(s)
        chuck/password from 84.244.0.130: 2 Time(s)
        cip51/none from 203.204.135.11: 3 Time(s)
        cip51/password from 203.204.135.11: 3 Time(s)
        cip52/none from 203.204.135.11: 3 Time(s)
        cip52/password from 203.204.135.11: 3 Time(s)
        cosmin/none from 203.204.135.11: 3 Time(s)
        cosmin/password from 203.204.135.11: 3 Time(s)
        cyrus/none from 203.204.135.11: 3 Time(s)
        cyrus/password from 203.204.135.11: 3 Time(s)
        darkman/none from 84.244.0.130: 1 Time(s)
        darkman/password from 84.244.0.130: 1 Time(s)
        data/none from 203.204.135.11: 3 Time(s)
        data/password from 203.204.135.11: 3 Time(s)
        frank/none from 203.204.135.11: 3 Time(s)
        frank/password from 203.204.135.11: 3 Time(s)
        george/none from 203.204.135.11: 3 Time(s)
        george/password from 203.204.135.11: 3 Time(s)
        guest/none from 207.101.220.162: 1 Time(s)
        guest/password from 207.101.220.162: 1 Time(s)
        henry/none from 203.204.135.11: 3 Time(s)
        henry/password from 203.204.135.11: 3 Time(s)
        horde/none from 203.204.135.11: 3 Time(s)
        horde/password from 203.204.135.11: 3 Time(s)
        hostmaster/none from 84.244.0.130: 1 Time(s)
        hostmaster/password from 84.244.0.130: 1 Time(s)
        iceuser/none from 203.204.135.11: 3 Time(s)
        iceuser/password from 203.204.135.11: 3 Time(s)
        irc/none from 203.204.135.11: 6 Time(s)
        irc/password from 203.204.135.11: 6 Time(s)
        jane/none from 203.204.135.11: 3 Time(s)
        jane/password from 203.204.135.11: 3 Time(s)
        jeffrey/none from 84.244.0.130: 1 Time(s)
        jeffrey/password from 84.244.0.130: 1 Time(s)
        john/none from 203.204.135.11: 3 Time(s)
        john/password from 203.204.135.11: 3 Time(s)
        jordan/none from 84.244.0.130: 2 Time(s)
        jordan/password from 84.244.0.130: 2 Time(s)
        kee/none from 218.188.2.4: 3 Time(s)
        kee/password from 218.188.2.4: 3 Time(s)
        kees/none from 218.188.2.4: 3 Time(s)
        kees/password from 218.188.2.4: 3 Time(s)
        keith/none from 218.188.2.4: 3 Time(s)
        keith/password from 218.188.2.4: 3 Time(s)
        kelly/none from 218.188.2.4: 3 Time(s)
        kelly/password from 218.188.2.4: 3 Time(s)
        kelvin/none from 218.188.2.4: 3 Time(s)
        kelvin/password from 218.188.2.4: 3 Time(s)
        kemal/none from 218.188.2.4: 3 Time(s)
        kemal/password from 218.188.2.4: 3 Time(s)
        ken/none from 218.188.2.4: 3 Time(s)
        ken/password from 218.188.2.4: 3 Time(s)
        kenn/none from 218.188.2.4: 3 Time(s)
        kenn/password from 218.188.2.4: 3 Time(s)
        kenneth/none from 218.188.2.4: 3 Time(s)
        kenneth/password from 218.188.2.4: 3 Time(s)
        kent/none from 218.188.2.4: 3 Time(s)
        kent/password from 218.188.2.4: 3 Time(s)
        kenton/none from 218.188.2.4: 3 Time(s)
        kenton/password from 218.188.2.4: 3 Time(s)
        kerri/none from 218.188.2.4: 3 Time(s)
        kerri/password from 218.188.2.4: 3 Time(s)
        kerry/none from 218.188.2.4: 3 Time(s)
        kerry/password from 218.188.2.4: 3 Time(s)
        kevan/none from 218.188.2.4: 3 Time(s)
        kevan/password from 218.188.2.4: 3 Time(s)
        kevin/none from 218.188.2.4: 3 Time(s)
        kevin/password from 218.188.2.4: 3 Time(s)
        kevyn/none from 218.188.2.4: 3 Time(s)
        kevyn/password from 218.188.2.4: 3 Time(s)
        kieran/none from 218.188.2.4: 3 Time(s)
        kieran/password from 218.188.2.4: 3 Time(s)
        kiki/none from 218.188.2.4: 3 Time(s)
        kiki/password from 218.188.2.4: 3 Time(s)
        kikki/none from 218.188.2.4: 3 Time(s)
        kikki/password from 218.188.2.4: 3 Time(s)
        kim/none from 218.188.2.4: 3 Time(s)
        kim/password from 218.188.2.4: 3 Time(s)
        kimberly/none from 218.188.2.4: 3 Time(s)
        kimberly/password from 218.188.2.4: 3 Time(s)
        kimmo/none from 218.188.2.4: 3 Time(s)
        kimmo/password from 218.188.2.4: 3 Time(s)
        kinch/none from 218.188.2.4: 3 Time(s)
        kinch/password from 218.188.2.4: 3 Time(s)
        king/none from 218.188.2.4: 3 Time(s)
        king/password from 218.188.2.4: 3 Time(s)
        kirk/none from 218.188.2.4: 3 Time(s)
        kirk/password from 218.188.2.4: 3 Time(s)
        kit/none from 218.188.2.4: 3 Time(s)
        kit/password from 218.188.2.4: 3 Time(s)
        kitty/none from 218.188.2.4: 3 Time(s)
        kitty/password from 218.188.2.4: 3 Time(s)
        klaudia/none from 218.188.2.4: 3 Time(s)
        klaudia/password from 218.188.2.4: 3 Time(s)
        klaus/none from 218.188.2.4: 3 Time(s)
        klaus/password from 218.188.2.4: 3 Time(s)
        knapper/none from 218.188.2.4: 3 Time(s)
        knapper/password from 218.188.2.4: 3 Time(s)
        knudsen/none from 218.188.2.4: 3 Time(s)
        knudsen/password from 218.188.2.4: 3 Time(s)
        knut/none from 218.188.2.4: 3 Time(s)
        knut/password from 218.188.2.4: 3 Time(s)
        knute/none from 218.188.2.4: 3 Time(s)
        knute/password from 218.188.2.4: 3 Time(s)
        kolkka/none from 218.188.2.4: 3 Time(s)
        kolkka/password from 218.188.2.4: 3 Time(s)
        konrad/none from 218.188.2.4: 3 Time(s)
        konrad/password from 218.188.2.4: 3 Time(s)
        master/none from 203.204.135.11: 3 Time(s)
        master/password from 203.204.135.11: 3 Time(s)
        matt/none from 203.204.135.11: 3 Time(s)
        matt/password from 203.204.135.11: 3 Time(s)
        michael/none from 84.244.0.130: 1 Time(s)
        michael/password from 84.244.0.130: 1 Time(s)
        nicole/none from 84.244.0.130: 1 Time(s)
        nicole/password from 84.244.0.130: 1 Time(s)
        noc/none from 203.204.135.11: 3 Time(s)
        noc/password from 203.204.135.11: 3 Time(s)
        oracle/none from 203.204.135.11: 3 Time(s)
        oracle/password from 203.204.135.11: 3 Time(s)
        pamela/none from 203.204.135.11: 3 Time(s)
        pamela/password from 203.204.135.11: 3 Time(s)
        passwd/none from 84.244.0.130: 3 Time(s)
        passwd/password from 84.244.0.130: 3 Time(s)
        patrick/none from 203.204.135.11: 6 Time(s)
        patrick/password from 203.204.135.11: 6 Time(s)
        rolo/none from 203.204.135.11: 3 Time(s)
        rolo/password from 203.204.135.11: 3 Time(s)
        server/none from 203.204.135.11: 3 Time(s)
        server/password from 203.204.135.11: 3 Time(s)
        sybase/none from 203.204.135.11: 3 Time(s)
        sybase/password from 203.204.135.11: 3 Time(s)
        test/none from 203.204.135.11: 15 Time(s)
        test/none from 207.101.220.162: 2 Time(s)
        test/password from 203.204.135.11: 15 Time(s)
        test/password from 207.101.220.162: 2 Time(s)
        user/none from 203.204.135.11: 9 Time(s)
        user/none from 207.101.220.162: 1 Time(s)
        user/password from 203.204.135.11: 9 Time(s)
        user/password from 207.101.220.162: 1 Time(s)
        web/none from 203.204.135.11: 6 Time(s)
        web/password from 203.204.135.11: 6 Time(s)
        webmaster/none from 203.204.135.11: 3 Time(s)
        webmaster/password from 203.204.135.11: 3 Time(s)
        www-data/none from 203.204.135.11: 3 Time(s)
        www-data/password from 203.204.135.11: 3 Time(s)
        www/none from 203.204.135.11: 3 Time(s)
        www/password from 203.204.135.11: 3 Time(s)
        wwwrun/none from 203.204.135.11: 3 Time(s)
        wwwrun/password from 203.204.135.11: 3 Time(s)
     
     ---------------------- SSHD End -------------------------

  2. #2
    Join Date
    Oct 2004
    Location
    Southwest UK
    Posts
    1,175
    thank you for posting the entire log.

    the answer is yes - someone's trying to hack you, probably an automated script.

    The best thing you can do is install BFD (and APF) and it'll block them automatically.

  3. #3
    Join Date
    Jul 2002
    Location
    Malaysia
    Posts
    702
    try bind ur ssh port and ssh ip to listen to other ip and port other than the default one -- 22.

  4. #4
    Join Date
    Apr 2001
    Location
    FL, USA
    Posts
    949
    Moving SSH to another port does little for security -- it may stop these bots but does little to stop a knowledgeable attacker.

    Use good passwords (>8 characters) and you really have little to worry about in way of an ssh brute force.

    We use AllowUsers in ssh to limit what users to have access. This may or may not apply depending on your your situation.

    For root, we either disable password login or disable login to root completely.

    You can also firewall off your SSH port.

    If you find an overally agressive IP, you can always block it at the firewall.

    We save you time, money, and frustration by handling the server management tasks required to run an online business successfully.
    No prodding required. We just do it right the first time. Red Hat, MySQL, Plesk, and cPanel certified staff.

  5. #5
    Join Date
    Dec 2002
    Location
    Egypt
    Posts
    151
    A combination between APF and BFD , or even BFD only but you have to change the firewall command from the APF one to the normal IPtables command.
    This will stop and block these attempts.
    knowledge is Power , Spread it.
    www.e-tutankhamun.com
    ahmed@e-tutankhamun.com
    AIM:AhmedFouad0 , yahooID:xor2004

  6. #6
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,681
    Installing BruteForceDetector with APF, is about the best thing you can do.

    Or you can just manually block the ips with
    iptables -I INPUT -s ip -j DROP

    See
    http://www.hostgeekz.com/guides/cPanel/4/Install_BFD(Brute_Force_Detector).htm
    and
    http://www.hostgeekz.com/guides/cPan...F_Firewall.htm
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: sales@admingeekz.com

  7. #7
    Join Date
    Feb 2005
    Posts
    335
    You can also set your users up to use keys instead of passwords and not have to worry about the brute force attempts. Generally I lock down ssh using keys and firewalling off all but known hosts.

  8. #8
    wow thanks alot guys ive been doing reasearch all day i will be installing BFD tonight ... also what about the rest of the log i didnt really post the rest but if u want ill do it .. i need to learn how to read i see weird things but they might be nornal is there some tutorials out there on what to look out for

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •