Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > HOWTO-Related Questions

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #11  
Old 25th March 2006, 16:16
Hagforce Hagforce is offline
Senior Member
 
Join Date: Feb 2006
Posts: 210
Thanks: 37
Thanked 1 Time in 1 Post
Default

After getting the logs from logcheck I`m wondering what these attacks are...
Code:
Mar 23 00:31:06 www sshd[2320]: Failed password for invalid user soul from 67.104.249.10 port 51704 ssh2
I haven`t got the ssh on port 51704, so why does it say failed password..
Reply With Quote
Sponsored Links
  #12  
Old 26th March 2006, 11:26
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,735 Times in 2,571 Posts
Default

Please post the output of
Code:
netstat -tap
Do you have portsentry installed? In that case portsentry detected that login try and logged it.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #13  
Old 26th March 2006, 12:08
Hagforce Hagforce is offline
Senior Member
 
Join Date: Feb 2006
Posts: 210
Thanks: 37
Thanked 1 Time in 1 Post
Default

netstat -tap output:
Code:
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp        0      0 *:41318                     *:*                         LISTEN      2220/rpc.statd
tcp        0      0 *:mysql                     *:*                         LISTEN      2572/mysqld
tcp        0      0 www.xxx.xxx:783              *:*                         LISTEN      2672/spamd.pid
tcp        0      0 *:sunrpc                    *:*                         LISTEN      2203/portmap
tcp        0      0 *:81                        *:*                         LISTEN      2898/ispconfig_http
tcp        0      0 *:ftp                       *:*                         LISTEN      4527/proftpd: (acce
tcp        0      0 static47.xxx.xx:domain *:*                         LISTEN      26203/named
tcp        0      0 static49.xxx.xx:domain *:*                         LISTEN      26203/named
tcp        0      0 static48.xxx.xx:domain *:*                         LISTEN      26203/named
tcp        0      0 www.xxx.xx:domain           *:*                         LISTEN      26203/named
tcp        0      0 www.xxx.xx:ipp              *:*                         LISTEN      10121/cupsd
tcp        0      0 www.xxx.xx:5335             *:*                         LISTEN      2412/mDNSResponder
tcp        0      0 *:smtp                      *:*                         LISTEN      4706/master
tcp        0      0 www.xxx.xx:rndc             *:*                         LISTEN      26203/named
tcp        0      0 static48.xxx.xx:41390 host196.101.vtm-net.ev:http ESTABLISHED 3044/freshclam
tcp        0      0 *:23314                     *:*                         LISTEN      20893/sshd
tcp        0      0 *:imaps                     *:*                         LISTEN      2592/dovecot
tcp        0      0 *:pop3s                     *:*                         LISTEN      2592/dovecot
tcp        0      0 *:pop3                      *:*                         LISTEN      2592/dovecot
tcp        0      0 *:imap                      *:*                         LISTEN      2592/dovecot
tcp        0      0 *:http                      *:*                         LISTEN      13136/httpd
tcp        0      0 localhost:rndc              *:*                         LISTEN      26203/named
tcp        0      0 *:https                     *:*                         LISTEN      13136/httpd
tcp        0    888 static48.xxx.xx:23314 static67.xxx.xxx:63425 ESTABLISHED 25776/0
What`s this one?:
Code:
tcp        0      0 static48.xxx.xx:41390 host196.101.vtm-net.ev:http ESTABLISHED 3044/freshclam
Some other info in the logs that got me worried is that this happens every 30 min (from logcheck):
Code:
Mar 26 00:30:02 www proftpd[5430]: www.xxx.xxx (127.0.0.1[127.0.0.1]) - FTP session opened. 
Mar 26 00:30:02 www proftpd[5430]: www.xxx.xxx (127.0.0.1[127.0.0.1]) - FTP session closed
And lots of these (from logcheck):
Code:
Mar 25 05:57:45 www named[26203]: unexpected RCODE (REFUSED) resolving '55.165.161.72.in-addr.arpa/PTR/IN': 209.142.136.142#53
Mar 25 05:57:47 www named[26203]: unexpected RCODE (REFUSED) resolving '55.165.161.72.in-addr.arpa/PTR/IN': 207.230.192.252#53
Mar 25 09:51:15 www named[26203]: unexpected RCODE (REFUSED) resolving 'rose.man.poznan.pl/A/IN': 150.254.65.7#53
Mar 25 09:51:15 www named[26203]: unexpected RCODE (REFUSED) resolving 'sunflower.man.poznan.pl/A/IN': 150.254.65.7#53
Mar 25 09:51:15 www named[26203]: unexpected RCODE (REFUSED) resolving 'sunflower.man.poznan.pl/AAAA/IN': 150.254.65.7#53
Mar 25 09:51:15 www named[26203]: unexpected RCODE (REFUSED) resolving 'sol.put.poznan.pl/A/IN': 150.254.65.7#53

Am I hacked, or what is going on here?

I installed logcheck and chkrootkit, and set them up with cron to run every night.

I also changed the SSH port to none standard.

I haven`t installed portsentry yet....
I`m a bit unsure if it`s the right thing for me.
With dial up users and dhcp I can`t just put adresses in hosts.deny, wouldn`t this cause problems?.

Should I install a firewall to, in addition to the one in ISPConfig?.

Last edited by Hagforce; 26th March 2006 at 12:15.
Reply With Quote
  #14  
Old 26th March 2006, 21:09
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,735 Times in 2,571 Posts
Default

Quote:
Originally Posted by Hagforce
What`s this one?:
Code:
tcp        0      0 static48.xxx.xx:41390 host196.101.vtm-net.ev:http ESTABLISHED 3044/freshclam
That's freshclam. It belongs to ClamAV and updates your virus signatures. Nothing to worry about.

Quote:
Originally Posted by Hagforce
Some other info in the logs that got me worried is that this happens every 30 min (from logcheck):
Code:
Mar 26 00:30:02 www proftpd[5430]: www.xxx.xxx (127.0.0.1[127.0.0.1]) - FTP session opened. 
Mar 26 00:30:02 www proftpd[5430]: www.xxx.xxx (127.0.0.1[127.0.0.1]) - FTP session closed
That's the ISPConfig monitoring script that checks if the important services like web, ftp, etc. are still running. If it finds they aren't, the monitoring scripts sends you an email.

Quote:
Originally Posted by Hagforce
With dial up users and dhcp I can`t just put adresses in hosts.deny, wouldn`t this cause problems?.
It might cause problems if someone gets an IP address that's in /etc/hosts.deny.

Quote:
Originally Posted by Hagforce
Should I install a firewall to, in addition to the one in ISPConfig?.
No. You can use one firewall at a time, but not mix several ones.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #15  
Old 26th March 2006, 22:02
Hagforce Hagforce is offline
Senior Member
 
Join Date: Feb 2006
Posts: 210
Thanks: 37
Thanked 1 Time in 1 Post
Default

Thanks again for your help falco!.

I can`t even begin to describe how mutch easier your help and howto`s has made the change from win servers to linux.

What about the messages from named... nothing unnormal?
Reply With Quote
  #16  
Old 27th March 2006, 14:38
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,735 Times in 2,571 Posts
Default

Quote:
Originally Posted by Hagforce
What about the messages from named... nothing unnormal?
I haven't seen something like this before, so I can't say. If your system is able to resolve domains, it should be ok.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #17  
Old 28th March 2006, 17:33
Hagforce Hagforce is offline
Senior Member
 
Join Date: Feb 2006
Posts: 210
Thanks: 37
Thanked 1 Time in 1 Post
Default

I,m did a portscan from ISPConfig

Code:
    Port 21 (tcp) is open (ftp)!
    Port 25 (tcp) is open (smtp)!
    Port 53 (tcp) is open (domain)!
    Port 80 (tcp) is open (http)!
    Port 81 (tcp) is open (unknown)!
    Port 110 (tcp) is open (pop3)!
    Port 111 (tcp) is open (sunrpc)!
    Port 143 (tcp) is open (imap)!
    Port 443 (tcp) is open (https)!
    Port 631 (tcp) is open (ipp)!
    Port 783 (tcp) is open (unknown)!
    Port 953 (tcp) is open (rndc)!
    Port 993 (tcp) is open (imaps)!
    Port 995 (tcp) is open (pop3s)!
    Port 3306 (tcp) is open (mysql)!
    Port 5335 (tcp) is open (unknown)!
    Port 41318 (tcp) is open (unknown)!
    Port 42141 (tcp) is open (unknown)!
    Port 43025 (tcp) is open (unknown)!
The setup in ISPConfig firewall is:

Code:
  Name  	  Port  	  Type  	  Active 
  FTP  	  21  	  tcp  	  yes 
  SSH  	  22  	  tcp  	  yes 
  SMTP  	  25  	  tcp  	  yes 
  DNS  	  53  	  tcp  	  yes 
  DNS  	  53  	  udp  	  yes 
  WWW  	  80  	  tcp  	  yes 
  ISPConfig  	  81  	  tcp  	  yes 
  POP3  	  110  	  tcp  	  yes 
  SSL (www)  	  443  	  tcp  	  yes
Why is all this other ports (that are not configured in firewall) open
Reply With Quote
  #18  
Old 28th March 2006, 17:36
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,488
Thanks: 813
Thanked 5,259 Times in 4,123 Posts
 
Default

Quote:
Originally Posted by Hagforce
Why is all this other ports (that are not configured in firewall) open
You cannot test your firewall with the ISPConfig portscan The ISPConfig script that scans the ports is on your server (inside) the firewall.

Ttry to find an portscanner that you can run on your workstation and scan your server from there.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 22:15.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.