Dear All, I have the following setup running perfectly OK for a long time CentOS release 5 (Final) sendmail-8.13.8-2.el5 MailScanner 4.76.25 bind-9.3.4-6.0.3.P1.el5_2 now i jus setup a centos box running BackupPC for backing up my my above mail server using ssh as per the instructions in backup pc site i had to enable sshd so i did it and everthing works perfect and backup works great as per my requirement but i notice that when i do a tail -f /var/log/secure i see the followin very often --------------------------- Jun 19 16:26:06 kmdns1 sshd[11073]: Invalid user jeka from 87.118.122.78 Jun 19 16:26:06 kmdns1 sshd[11074]: input_userauth_request: invalid user jeka Jun 19 16:26:06 kmdns1 sshd[11074]: Received disconnect from 87.118.122.78: 11: Bye Bye Jun 19 16:26:07 kmdns1 sshd[11075]: Invalid user stat from 87.118.122.78 Jun 19 16:26:07 kmdns1 sshd[11076]: input_userauth_request: invalid user stat Jun 19 16:26:08 kmdns1 sshd[11076]: Received disconnect from 87.118.122.78: 11: Bye Bye Jun 19 16:26:09 kmdns1 sshd[11077]: Invalid user nikonew from 87.118.122.78 Jun 19 16:26:09 kmdns1 sshd[11078]: input_userauth_request: invalid user nikonew Jun 19 16:26:09 kmdns1 sshd[11078]: Received disconnect from 87.118.122.78: 11: Bye Bye Jun 19 16:26:10 kmdns1 sshd[11079]: Invalid user koval from 87.118.122.78 Jun 19 16:26:10 kmdns1 sshd[11080]: input_userauth_request: invalid user koval Jun 19 16:26:11 kmdns1 sshd[11080]: Received disconnect from 87.118.122.78: 11: Bye Bye Jun 19 16:26:12 kmdns1 sshd[11081]: Invalid user smk from 87.118.122.78 Jun 19 16:26:12 kmdns1 sshd[11082]: input_userauth_request: invalid user smk Jun 19 16:26:12 kmdns1 sshd[11082]: Received disconnect from 87.118.122.78: 11: Bye Bye Jun 19 16:26:14 kmdns1 sshd[11083]: Invalid user ksusha from 87.118.122.78 Jun 19 16:26:14 kmdns1 sshd[11084]: input_userauth_request: invalid user ksusha Jun 19 16:26:14 kmdns1 sshd[11084]: Received disconnect from 87.118.122.78: 11: Bye Bye Jun 19 16:26:15 kmdns1 sshd[11085]: Invalid user jane from 87.118.122.78 Jun 19 16:26:15 kmdns1 sshd[11086]: input_userauth_request: invalid user jane Jun 19 16:26:15 kmdns1 sshd[11086]: Received disconnect from 87.118.122.78: 11: Bye Bye Jun 19 16:26:17 kmdns1 sshd[11087]: Invalid user celeron from 87.118.122.78 Jun 19 16:26:17 kmdns1 sshd[11088]: input_userauth_request: invalid user celeron Jun 19 16:26:17 kmdns1 sshd[11088]: Received disconnect from 87.118.122.78: 11: Bye Bye -------------------- Now both the Mail server and the backup pc server behind firewall and ssh protocol is denied to the hosts in the DMZ zone jus wondering how a outside user could try to ssh to my mail server. if i stop the sshd daemon i dont see any messages in my secure log file apprecite your addvice and help regards Fabian -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
2009/6/19 Cisco-Education <fabian at baladia.gov.kw>:> Dear All, > > I have the following setup running perfectly OK for a long time > > CentOS release 5 (Final) > sendmail-8.13.8-2.el5 > MailScanner 4.76.25 > bind-9.3.4-6.0.3.P1.el5_2 > > now i jus setup a centos box running BackupPC for backing up my my above > mail server using ssh as per the instructions in backup pc site > i had to enable sshd so i did it and > everthing works perfect and backup works great as per my requirement > > but i notice that when i do a > > tail -f /var/log/secure > > i see the followin very often > --------------------------- > Jun 19 16:26:06 kmdns1 sshd[11073]: Invalid user jeka from 87.118.122.78 > Jun 19 16:26:06 kmdns1 sshd[11074]: input_userauth_request: invalid user jeka > Jun 19 16:26:06 kmdns1 sshd[11074]: Received disconnect from > 87.118.122.78: 11: Bye Bye> Now both the Mail server and the backup pc server behind firewall and ssh > protocol is denied to the hosts in the DMZ zone > > jus wondering how a outside user could try to ssh to my mail server. > if i stop the sshd daemon i dont see any messages in my secure log file > > apprecite your addvice and help > > > regards > > Fabian > > >Most likely answer -- your FW is not actually blocking ssh connections to the servers from outside the DMZ. The source of the traffic is a routable address, if it doesn't match your ip space then your FW isn't working correctly. Brian
Cisco-Education wrote: <snip>> Jun 19 16:26:06 kmdns1 sshd[11073]: Invalid user jeka from 87.118.122.78 > Jun 19 16:26:06 kmdns1 sshd[11074]: input_userauth_request: invalid user jeka > Jun 19 16:26:06 kmdns1 sshd[11074]: Received disconnect from > 87.118.122.78: 11: Bye Bye<snip>> Now both the Mail server and the backup pc server behind firewall and ssh > protocol is denied to the hosts in the DMZ zonedoesn't look like it :-) check your firewall, ssh is definitely getting through to that mail server.
On Fri, Jun 19, 2009, Cisco-Education wrote:>Dear All, > >I have the following setup running perfectly OK for a long time > >CentOS release 5 (Final) >sendmail-8.13.8-2.el5 >MailScanner 4.76.25 >bind-9.3.4-6.0.3.P1.el5_2 > >now i jus setup a centos box running BackupPC for backing up my my above >mail server using ssh as per the instructions in backup pc site >i had to enable sshd so i did it and >everthing works perfect and backup works great as per my requirement > >but i notice that when i do a > >tail -f /var/log/secure > >i see the followin very often[Normal log stuff from dictionary attack deleted...] This is common, and, presuming you have good passwords or only accept authorized_keys, not a real problem other than large log files. Look at fail2ban for a method that will automatically add iptables blocks when this occurs. Bill -- INTERNET: bill at celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax: (206) 232-9186 Skype: jwccsllc (206) 855-5792 "I ask, sir, what is the militia? It is the whole people. To disarm the people is the best and most effectual way to enslave them."-- George Mason
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#ffffff" text="#000000"> In my opinion, the easiest way to handle this is to move the SSH ports. Then just<br> pass the -p (port) option for logging in. While this is not bullet proof, it will stop 99.9%<br> of Brute Force attempts.<br> <br> ~Ron <br> <br> Cisco-Education wrote: <blockquote cite="mid:284d4979339219c87a541981179ec01e.squirrel@webmail.baladia.gov.kw" type="cite"> <pre wrap="">Dear All, I have the following setup running perfectly OK for a long time CentOS release 5 (Final) sendmail-8.13.8-2.el5 MailScanner 4.76.25 bind-9.3.4-6.0.3.P1.el5_2 now i jus setup a centos box running BackupPC for backing up my my above mail server using ssh as per the instructions in backup pc site i had to enable sshd so i did it and everthing works perfect and backup works great as per my requirement but i notice that when i do a tail -f /var/log/secure i see the followin very often --------------------------- Jun 19 16:26:06 kmdns1 sshd[11073]: Invalid user jeka from 87.118.122.78 Jun 19 16:26:06 kmdns1 sshd[11074]: input_userauth_request: invalid user jeka Jun 19 16:26:06 kmdns1 sshd[11074]: Received disconnect from 87.118.122.78: 11: Bye Bye Jun 19 16:26:07 kmdns1 sshd[11075]: Invalid user stat from 87.118.122.78 Jun 19 16:26:07 kmdns1 sshd[11076]: input_userauth_request: invalid user stat Jun 19 16:26:08 kmdns1 sshd[11076]: Received disconnect from 87.118.122.78: 11: Bye Bye Jun 19 16:26:09 kmdns1 sshd[11077]: Invalid user nikonew from 87.118.122.78 Jun 19 16:26:09 kmdns1 sshd[11078]: input_userauth_request: invalid user nikonew Jun 19 16:26:09 kmdns1 sshd[11078]: Received disconnect from 87.118.122.78: 11: Bye Bye Jun 19 16:26:10 kmdns1 sshd[11079]: Invalid user koval from 87.118.122.78 Jun 19 16:26:10 kmdns1 sshd[11080]: input_userauth_request: invalid user koval Jun 19 16:26:11 kmdns1 sshd[11080]: Received disconnect from 87.118.122.78: 11: Bye Bye Jun 19 16:26:12 kmdns1 sshd[11081]: Invalid user smk from 87.118.122.78 Jun 19 16:26:12 kmdns1 sshd[11082]: input_userauth_request: invalid user smk Jun 19 16:26:12 kmdns1 sshd[11082]: Received disconnect from 87.118.122.78: 11: Bye Bye Jun 19 16:26:14 kmdns1 sshd[11083]: Invalid user ksusha from 87.118.122.78 Jun 19 16:26:14 kmdns1 sshd[11084]: input_userauth_request: invalid user ksusha Jun 19 16:26:14 kmdns1 sshd[11084]: Received disconnect from 87.118.122.78: 11: Bye Bye Jun 19 16:26:15 kmdns1 sshd[11085]: Invalid user jane from 87.118.122.78 Jun 19 16:26:15 kmdns1 sshd[11086]: input_userauth_request: invalid user jane Jun 19 16:26:15 kmdns1 sshd[11086]: Received disconnect from 87.118.122.78: 11: Bye Bye Jun 19 16:26:17 kmdns1 sshd[11087]: Invalid user celeron from 87.118.122.78 Jun 19 16:26:17 kmdns1 sshd[11088]: input_userauth_request: invalid user celeron Jun 19 16:26:17 kmdns1 sshd[11088]: Received disconnect from 87.118.122.78: 11: Bye Bye -------------------- Now both the Mail server and the backup pc server behind firewall and ssh protocol is denied to the hosts in the DMZ zone jus wondering how a outside user could try to ssh to my mail server. if i stop the sshd daemon i dont see any messages in my secure log file apprecite your addvice and help regards Fabian </pre> <pre wrap=""> <hr size="4" width="90%"> _______________________________________________ CentOS mailing list <a class="moz-txt-link-abbreviated" href="mailto:CentOS@centos.org">CentOS@centos.org</a> <a class="moz-txt-link-freetext" href="http://lists.centos.org/mailman/listinfo/centos">http://lists.centos.org/mailman/listinfo/centos</a> </pre> </blockquote> </body> </html>
On Fri, 19 Jun 2009 19:54:37 +0300 (AST) Cisco-Education wrote:> Now both the Mail server and the backup pc server behind firewall and ssh > protocol is denied to the hosts in the DMZ zoneThis statement is incorrect. What you think you have set up isn't what you actually have set up. The outside world apparently has full access to your ssh service; your firewall isn't blocking it at all. The proper fix depends on your needs. You should definitely fix the firewall; then after that you can restrict access to sshd by IP address and username and deny password access. -- MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com