logwatch

Discussion in 'Server Operation' started by stefanos, Feb 13, 2009.

  1. stefanos

    stefanos New Member

    Hi fellow friends,

    I think I have a problem or a potential problem with my server I think. My logwatch looks like this:

    I am concerned about durak.ru.mydomain.com Connection failure (outbound). I do not have such a domain name. My server should not have tried to make this outbound connection. Has my server been hacked? How can I trace where this came from on my server?

    and the Connections lost After AUTH near the end of the log (220-132-164-157.HINET-IP.hinet.net) is this something to worry about?

    I have also just installed fail2ban to combat the dovecot and the ssh hack attacks, I am assuming this is a dictionary attack and they have not gained access yet.

    I am running Fedora core 9, perfect server. One other question I have is how often should I run yum update?

    Kind Regards
    Stephen


    --------------------- pam_unix Begin ------------------------

    dovecot:
    Authentication Failures:
    rhost=::ffff:200.36.53.7 : 129 Time(s)
    root: 15 Time(s)
    adm: 1 Time(s)
    apache: 1 Time(s)
    bin: 1 Time(s)
    daemon: 1 Time(s)
    ftp: 1 Time(s)
    games: 1 Time(s)
    gopher: 1 Time(s)
    halt: 1 Time(s)
    lp: 1 Time(s)
    mail: 1 Time(s)
    mailnull: 1 Time(s)
    mysql: 1 Time(s)
    named: 1 Time(s)
    news: 1 Time(s)
    nfsnobody: 1 Time(s)
    nobody: 1 Time(s)
    operator: 1 Time(s)
    postfix: 1 Time(s)
    postgres: 1 Time(s)
    rpc: 1 Time(s)
    rpcuser: 1 Time(s)
    shutdown: 1 Time(s)
    smmsp: 1 Time(s)
    sshd: 1 Time(s)
    sync: 1 Time(s)
    uucp: 1 Time(s)
    Unknown Entries:
    check pass; user unknown: 129 Time(s)

    smtp:
    Unknown Entries:
    authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= : 1 Time(s)
    check pass; user unknown: 1 Time(s)

    sshd:
    Authentication Failures:
    mysql (210.87.191.133): 42 Time(s)
    root (123.233.245.226): 13 Time(s)
    unknown (123.233.245.226): 2 Time(s)
    root (202.108.29.8): 1 Time(s)
    Invalid Users:
    Unknown Account: 2 Time(s)
    Sessions Opened:
    smac: 6 Time(s)

    su-l:
    Sessions Opened:
    smac(uid=500) -> root: 5 Time(s)


    ---------------------- pam_unix End -------------------------


    --------------------- SSHD Begin ------------------------


    Didn't receive an ident from these IPs:
    210.87.191.133: 3 Time(s)

    Failed logins from:
    123.233.245.226: 13 times
    root/password: 13 times
    202.108.29.8: 1 time
    root/password: 1 time
    210.87.191.133: 42 times
    mysql/password: 42 times

    Illegal users from:
    123.233.245.226: 2 times
    oracle/password: 1 time
    test/password: 1 time

    Users logging in through sshd:
    smac:
    77.49.x.x (isp.net.gr): 2 times
    77.49.x.x (isp.net.gr): 2 times
    192.168.1.24: 2 times


    Received disconnect:
    11: Bye Bye
    123.233.245.226 : 15 Time(s)
    202.108.29.8 : 1 Time(s)
    210.87.191.133 : 36 Time(s)

    **Unmatched Entries**
    Timeout, client not responding. : 4 time(s)

    ---------------------- SSHD End -------------------------

    --------------------- Postfix Begin ------------------------

    ****** Summary *************************************************************************************

    1 SASL authentication failed

    55.742K Bytes accepted 57,080
    43.464K Bytes delivered 44,507
    ======== ================================================

    17 Accepted 94.44%
    1 Rejected 5.56%
    -------- ------------------------------------------------
    18 Total 100.00%
    ======== ================================================

    1 Reject relay denied 100.00%
    -------- ------------------------------------------------
    1 Total Rejects 100.00%
    ======== ================================================

    6 Connections made
    4 Connections lost
    6 Disconnections
    3 Removed from queue
    2 Sent via SMTP
    1 Forwarded
    14 Deferred
    297 Deferrals

    135 Connection failure (outbound)
    2 TLS connections (server)
    2 SASL authenticated messages

    1 Postfix start
    1 Postfix stop


    ****** Detailed ************************************************************************************

    1 SASL authentication failed --------------------------------------------------------------
    1 220.132.164.157 220-132-164-157.hinet-ip.hinet.net

    1 Reject relay denied ---------------------------------------------------------------------
    1 118.169.195.167 118-169-195-167.dynamic.hinet.net
    1 [email protected]

    4 Connections lost ------------------------------------------------------------------------
    1 After AUTH
    1 220-132-164-157.HINET-IP.hinet.net
    1 After CONNECT
    1 correo.ccs.net.mx
    1 After EHLO
    1 220-132-164-157.HINET-IP.hinet.net
    1 After RCPT
    1 118-169-195-167.dynamic.hinet.net

    2 Sent via SMTP ---------------------------------------------------------------------------
    2 myemailprovider.gr
    2 mac
    1 [email protected]

    1 Forwarded -------------------------------------------------------------------------------
    1 dragon.mydomain.com
    1 root

    297 Deferrals -------------------------------------------------------------------------------
    297 4.4.1: Persistent Transient Failure: Network & Routing Status: No answer from host
    162 Delivery temporarily suspended: Connection timed out
    162 localhost.localdomain.mydomain.com
    162 admispconfig
    162 62.49.x.x localhost.localdomain.mydomain.com
    135 Connection timed out
    113 localhost.localdomain.mydomain.com
    113 admispconfig
    113 62.49.x.x localhost.localdomain.mydomain.com
    22 durak.ru.mydomain.com
    22 lebedev
    22 62.49.x.x durak.ru.mydomain.com

    135 Connection failure (outbound) -----------------------------------------------------------
    135 Connection timed out
    113 62.49.x.x localhost.localdomain.mydomain.com
    22 62.49.x.x durak.ru.mydomain.com

    2 TLS connections (server) ----------------------------------------------------------------
    2 127.0.0.1 localhost.localdomain
    2 Anonymous: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)

    2 SASL authenticated messages -------------------------------------------------------------
    2 Unknown
    2 Unknown
    2 127.0.0.1 localhost.localdomain


    ---------------------- Postfix End -------------------------
     
  2. falko

    falko Super Moderator ISPConfig Developer

    First, I'd check if your server is blacklisted: http://mxtoolbox.com/blacklists.aspx
    If it is, please check the mynetworks parameter in main.cf. The only network listed should be 127.0.0.0/8. Also check your web applications. Spammers might abuse vulnerable contact forms, guestbooks, etc.
     

Share This Page