Someone trying to hack my servers?

[SwOsHiE]

Hello,

I'm getting alot of info from logwatch that different services like mail, dns, apache and others is answering wrong password or access denied for different IP adresses all over the world, is someone trying to hack my servers?

Is there a way to autoblock these IP adresses if they try to access something more than 20 times or something like that?

A copy/paste of some information from logwatch:

Dovecot:
dovecot: pop3-login: Disconnected (auth failed, 1 attempts): user=<web10p4>, method=PLAIN, rip=94.76.204.66, lip=192.168.10.10: 3 Time(s)
(repeats about MENY times in the mail)

Apache:
Requests with error response codes
404 Not Found
//./scripts/setup.php: 1 Time(s)
//Myphp/scripts/setup.php: 1 Time(s)
//_db/scripts/setup.php: 1 Time(s)
//_dbadmin/scripts/setup.php: 1 Time(s)
//_myadmin/scripts/setup.php: 1 Time(s)
//_myphp/scripts/setup.php: 1 Time(s)
//_php/scripts/setup.php: 1 Time(s)
//_phpadmin/scripts/setup.php: 1 Time(s)
//_phpmyadmin/scripts/setup.php: 1 Time(s)
//_sql/scripts/setup.php: 1 Time(s)
//admin/my/scripts/setup.php: 1 Time(s)
//admm/scripts/setup.php: 1 Time(s)
//admn/scripts/setup.php: 1 Time(s)
//databaseadmin/scripts/setup.php: 1 Time(s)
//db/scripts/setup.php: 1 Time(s)
//dbadmin/scripts/setup.php: 1 Time(s)
//my-php/scripts/setup.php: 1 Time(s)
and so on..

Pam_unix begin:
dovecot:
Authentication Failures:
test rhost=78.186.248.28 : 16 Time(s)
web10p1 rhost=94.76.204.66 : 16 Time(s)
web10p10 rhost=94.76.204.66 : 16 Time(s)
web10p2 rhost=94.76.204.66 : 16 Time(s)
web10p3 rhost=94.76.204.66 : 16 Time(s)
web10p4 rhost=94.76.204.66 : 16 Time(s)
web10p5 rhost=94.76.204.66 : 16 Time(s)
web10p7 rhost=94.76.204.66 : 16 Time(s)
web10p8 rhost=94.76.204.66 : 16 Time(s)
web10p9 rhost=94.76.204.66 : 16 Time(s)
web10p6 rhost=94.76.204.66 : 8 Time(s)
web11p1 rhost=94.76.204.66 : 8 Time(s)
web11p10 rhost=94.76.204.66 : 8 Time(s)
web11p2 rhost=94.76.204.66 : 8 Time(s)
web11p3 rhost=94.76.204.66 : 8 Time(s)
web11p4 rhost=94.76.204.66 : 8 Time(s)
web11p5 rhost=94.76.204.66 : 8 Time(s)
and so on..

Postfix:
SASL Authenticated messages from: 1 Host(s), 5 Time(s)

Relaying denied: 2 Time(s)

Connections lost:
Connection lost while CONNECT : 289 Time(s)
Connection lost while RCPT : 1 Time(s)


Unrecognized warning:
non-SMTP command from unknown[173.226.228.88]: GET / HTTP/1.1 : 1 Time(s)


Connections (secure-log) Begin:


**Unmatched Entries**
dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user test
dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user test
dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user test
dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user test
dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user test
dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user test
dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user test
dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user test
dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user test
dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user test
dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user test
dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user test
dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user test
dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user test
dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user test
dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user test
Rootkit Hunter: Rootkit hunter check started (version 1.3.8)
Rootkit Hunter: Scanning took 1 minute and 7 seconds
Rootkit Hunter: Please inspect this machine, because it may be infected.

(How do you look for infected files in rootkit?)

Sendmail begin:

**Unmatched Entries**
STARTTLS=client, relay=[127.0.0.1], field=cn_issuer, status=failed to extract CN: 5 Time(s)
STARTTLS=client, relay=[127.0.0.1], field=cn_subject, status=failed to extract CN: 5 Time(s)


Is this a common thing for webhosting server? Is it unsafe to NOT do anything?

Best regards,
Mattias

[till]

It is common that hackers or hacker scripts try to access accounts on your server. You can e.g. use fail2ban to deny access to them on the network level when logins failed X times.

Regarding the rkhunter output, you can see the detailed report by running:

rkhunter -c

on the shell as root user.

[SwOsHiE]

Hello Till and thank you for the quick response!!

I've gone thru the rkhunter reports and it was only that the root account had access thru SSH (I've blocked it in the firewall, works only in the internal net) and also a .dat file was missing (but I ran "rkhunter --propupd" to fix it).

When it comes to fail2ban I have installed it on the server, but do not know how to use it (came as an option while installing ISPconfig server via the usual guides). Is there a manual/guide of some sort that I can read and get some more information about what it does and how to do it?

The best thing whould be to check if a IP adress is trying to access the services on the server more than say 20-30 times and then block it. Some costumers may type in the wrong password but not that many times...?

Thanks!

[till]

Which Linux distribution do you use?

[SwOsHiE]

I use CentOS 5.6 with ISPconfig 3

[Mark_NL]

You might want to check out this how-to
http://www.howtoforge.com/extending-...ze-ispconfig-3

It does some fail2ban explaining as well.

[SwOsHiE]

Thank very much for all the information!

I have now updated my server with some fail2ban stuff and also rkhunter, we will see how it reacts to the current problem on the next logwatch log

Best regards,
Mattias