Not 0wn3d, So Far….

Boy, after reading about Ken’s system being cracked, figured I give my system a good look, and make sure it hadn’t also been compromised. Looks like it hadn’t been cracked, but certainly not for lack of trying. Doing a quick cat auth.log.0 | grep ssh | grep [Ff]ail | less, I get the following:

Jan 6 23:21:59 xxx PAM_unix[20651]: authentication failure; (uid=0) -> root for ssh service
Jan 6 23:22:01 xxx sshd[20651]: Failed password for root from 4.46.206.20 port 4161 ssh2
Jan 6 23:22:02 xxx PAM_unix[20654]: authentication failure; (uid=0) -> root for ssh service
Jan 6 23:22:04 xxx sshd[20654]: Failed password for root from 4.46.206.20 port 4260 ssh2
Jan 6 23:22:05 xxx PAM_unix[20656]: authentication failure; (uid=0) -> root for ssh service
Jan 6 23:22:08 xxx sshd[20656]: Failed password for root from 4.46.206.20 port 4353 ssh2
Jan 6 23:22:22 xxx PAM_unix[20680]: authentication failure; (uid=0) -> www-data for ssh service
Jan 6 23:22:24 xxx sshd[20680]: Failed password for www-data from 4.46.206.20 port 4815 ssh2
Jan 6 23:22:25 xxx PAM_unix[20682]: authentication failure; (uid=0) -> mysql for ssh service
Jan 6 23:22:27 xxx sshd[20682]: Failed password for mysql from 4.46.206.20 port 4917 ssh2
Jan 6 23:22:29 xxx PAM_unix[20684]: authentication failure; (uid=0) -> operator for ssh service
Jan 6 23:22:31 xxx sshd[20684]: Failed password for operator from 4.46.206.20 port 1032 ssh2
Jan 6 23:22:34 xxx PAM_unix[20690]: authentication failure; (uid=0) -> irc for ssh service
Jan 6 23:22:37 xxx sshd[20690]: Failed password for irc from 4.46.206.20 port 1184 ssh2
(clipped)

Really proves the need for strong passwords, which Ken unfortunately got nailed with. I probably should be keeping a better eye on my system reports each morning.

Ken, you should give Debian a try on your server. You should be able to install it with no problem with 64MB of RAM, since it doesn’t use graphical install like a lot of the other distributions. Also, I hear their new installer is much improved compared to when I installed mine.

Advertisements

1 Comment »

  1. Jon said

    Here is an approach used to combat these attacks using iptables.

RSS feed for comments on this post · TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: