-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Okay, I have a question that is not really TSL specific -- I hope this is not
too off topic for the
TSL list. Seems that most TSL users, having real boxes out in production,
might have some useful input.
Here is the situation: I have 20+ linux boxes in co-locations around the
world. One of my boxes
shows this in the PAM logs. Obviously, someone is trying to get in. The logs
are full of this
activity, but only on this box. Source ips are forged in some cases, but I
have found real ones
that trace back to chinese sites. The chinese sites appear legitimate, so I
think they have some
comprimised boxes.
So, in this situation, what action would you take?
Thanks,
Dominic
--------------------- pam_unix Begin ------------------------
sshd:
Authentication Failures:
uucp (live.ckdu.dal.ca ): 3 Time(s)
gopher (live.ckdu.dal.ca ): 2 Time(s)
news (live.ckdu.dal.ca ): 2 Time(s)
sshd (live.ckdu.dal.ca ): 2 Time(s)
root (s230.lt.ukrtel.net ): 54 Time(s)
apache (live.ckdu.dal.ca ): 4 Time(s)
xfs (live.ckdu.dal.ca ): 2 Time(s)
rpm (live.ckdu.dal.ca ): 2 Time(s)
pcap (live.ckdu.dal.ca ): 2 Time(s)
lp (live.ckdu.dal.ca ): 4 Time(s)
vcsa (live.ckdu.dal.ca ): 2 Time(s)
operator (live.ckdu.dal.ca ): 2 Time(s)
named (live.ckdu.dal.ca ): 3 Time(s)
smmsp (live.ckdu.dal.ca ): 4 Time(s)
nobody (live.ckdu.dal.ca ): 2 Time(s)
daemon (live.ckdu.dal.ca ): 2 Time(s)
sync (live.ckdu.dal.ca ): 3 Time(s)
mailnull (live.ckdu.dal.ca ): 2 Time(s)
rpc (live.ckdu.dal.ca ): 3 Time(s)
nfsnobody (live.ckdu.dal.ca ): 2 Time(s)
ftp (live.ckdu.dal.ca ): 3 Time(s)
games (live.ckdu.dal.ca ): 2 Time(s)
canna (live.ckdu.dal.ca ): 2 Time(s)
rpcuser (live.ckdu.dal.ca ): 2 Time(s)
mail (live.ckdu.dal.ca ): 3 Time(s)
bin (live.ckdu.dal.ca ): 3 Time(s)
adm (live.ckdu.dal.ca ): 6 Time(s)
---------------------- pam_unix End -------------------------
--------------------- SSHD Begin ------------------------
Failed logins from these:
adm/password from 129.173.68.207: 6 Time(s)
apache/password from 129.173.68.207: 4 Time(s)
bin/password from 129.173.68.207: 3 Time(s)
canna/password from 129.173.68.207: 2 Time(s)
daemon/password from 129.173.68.207: 2 Time(s)
ftp/password from 129.173.68.207: 3 Time(s)
games/password from 129.173.68.207: 2 Time(s)
gopher/password from 129.173.68.207: 2 Time(s)
lp/password from 129.173.68.207: 4 Time(s)
mail/password from 129.173.68.207: 3 Time(s)
mailnull/password from 129.173.68.207: 2 Time(s)
named/password from 129.173.68.207: 3 Time(s)
news/password from 129.173.68.207: 2 Time(s)
nfsnobody/password from 129.173.68.207: 2 Time(s)
nobody/password from 129.173.68.207: 2 Time(s)
operator/password from 129.173.68.207: 2 Time(s)
pcap/password from 129.173.68.207: 2 Time(s)
root/password from 213.179.229.230: 54 Time(s)
rpc/password from 129.173.68.207: 3 Time(s)
rpcuser/password from 129.173.68.207: 2 Time(s)
rpm/password from 129.173.68.207: 2 Time(s)
smmsp/password from 129.173.68.207: 4 Time(s)
sshd/password from 129.173.68.207: 2 Time(s)
sync/password from 129.173.68.207: 3 Time(s)
uucp/password from 129.173.68.207: 3 Time(s)
vcsa/password from 129.173.68.207: 2 Time(s)
xfs/password from 129.173.68.207: 2 Time(s)
Users logging in through sshd:
prod logged in from 66.45.3.229 using rsa: 289 Time(s)
prod logged in from antinat.rulespace.com (206.163.123.194) using publickey:
1 Time(s)
update logged in from 66.45.3.229 using rsa: 3 Time(s)
phish logged in from 66.45.3.229 using publickey: 576 Time(s)
**Unmatched Entries**
Illegal user test from 129.173.68.207
Illegal user test from 129.173.68.207
Illegal user test from 129.173.68.207
Illegal user test from 129.173.68.207
Illegal user test from 129.173.68.207
Illegal user test from 129.173.68.207
Illegal user test from 129.173.68.207
Illegal user test from 129.173.68.207
Illegal user test from 129.173.68.207
Illegal user test from 129.173.68.207
Illegal user test from 129.173.68.207
Illegal user test from 129.173.68.207
Illegal user test from 129.173.68.207
Illegal user test from 129.173.68.207
Illegal user test from 129.173.68.207
Illegal user tester from 129.173.68.207
Illegal user tester from 129.173.68.207
Illegal user tester from 129.173.68.207
Illegal use
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFDrDljcDOfd9lD9X8RAmSiAJ9QAU6guYZ4k5UR3txjTVVCcj6MJwCfWqc6
p38pR/hpg3KvW2QljWg6rII=
=Zf9e
-----END PGP SIGNATURE-----
_______________________________________________
tsl-discuss mailing list
[email protected]
http://lists.trustix.org/mailman/listinfo/tsl-discuss
