• 16-05-2008, 13:43:35
    #1
    Gelen LogWatch maili içeriği aynen şöyle
    --------------------- pam_unix Begin ------------------------
    sshd:
    Authentication Failures:
    root (akademiyah.tenet.odessa.ua): 1037 Time(s)
    unknown (akademiyah.tenet.odessa.ua): 272 Time(s)
    mysql (akademiyah.tenet.odessa.ua): 26 Time(s)
    news (akademiyah.tenet.odessa.ua): 16 Time(s)
    games (akademiyah.tenet.odessa.ua): 14 Time(s)
    daemon (akademiyah.tenet.odessa.ua): 12 Time(s)
    mailman (akademiyah.tenet.odessa.ua): 12 Time(s)
    cpanel (akademiyah.tenet.odessa.ua): 8 Time(s)
    mail (akademiyah.tenet.odessa.ua): 8 Time(s)
    apache (akademiyah.tenet.odessa.ua): 6 Time(s)
    rpm (akademiyah.tenet.odessa.ua): 6 Time(s)
    unknown (58.211.78.204): 6 Time(s)
    root (58.211.78.204): 3 Time(s)
    Invalid Users:
    Unknown Account: 278 Time(s)
    ---------------------- pam_unix End -------------------------
    --------------------- Connections (secure-log) Begin ------------------------
    **Unmatched Entries**
    Cp-Wrap[2896]: Pushing "32058 COUNTDBS" to '/usr/local/cpanel/bin/mysqladmin' for UID: 32058
    Cp-Wrap[2896]: CP-Wrapper terminated without error
    Cp-Wrap[2902]: Pushing "32058 GETDISK" to '/usr/local/cpanel/bin/mysqladmin' for UID: 32058
    Cp-Wrap[2902]: CP-Wrapper terminated without error
    Cp-Wrap[3005]: Pushing "32058 COUNTDBS" to '/usr/local/cpanel/bin/mysqladmin' for UID: 32058
    Cp-Wrap[3005]: CP-Wrapper terminated without error
    Cp-Wrap[3008]: Pushing "32058 GETDISK" to '/usr/local/cpanel/bin/mysqladmin' for UID: 32058
    Cp-Wrap[3008]: CP-Wrapper terminated without error
    Cp-Wrap[3928]: Pushing "32059 COUNTDBS" to '/usr/local/cpanel/bin/mysqladmin' for UID: 32059
    Cp-Wrap[3928]: CP-Wrapper terminated without error
    Cp-Wrap[3934]: Pushing "32059 GETDISK" to '/usr/local/cpanel/bin/mysqladmin' for UID: 32059
    Cp-Wrap[3934]: CP-Wrapper terminated without error
    Cp-Wrap[3942]: Pushing "32059 DBCACHE" to '/usr/local/cpanel/bin/mysqladmin' for UID: 32059
    Cp-Wrap[3942]: CP-Wrapper terminated without error
    Cp-Wrap[4146]: Pushing "32059 ADDDB onlinexdbmiydila" to '/usr/local/cpanel/bin/mysqladmin' for UID: 32059
    Cp-Wrap[4146]: CP-Wrapper terminated without error
    Cp-Wrap[4153]: Pushing "32059 DBCACHE" to '/usr/local/cpanel/bin/mysqladmin' for UID: 32059
    Cp-Wrap[4153]: CP-Wrapper terminated without error
    Cp-Wrap[4171]: Pushing "32059 ADDUSER hehedbydiaq XXXXXXXXXXXXXXX" to '/usr/local/cpanel/bin/mysqladmin' for UID: 32059
    Cp-Wrap[4171]: CP-Wrapper terminated without error
    Cp-Wrap[4178]: Pushing "32059 DBCACHE" to '/usr/local/cpanel/bin/mysqladmin' for UID: 32059
    Cp-Wrap[4178]: CP-Wrapper terminated without error
    Cp-Wrap[4183]: Pushing "32059 ADDUSERDB online_onlinexdbmiydila XXXXXXXXXXXXXXXX ALL" to '/usr/local/cpanel/bin/mysqladmin' for UID: 32059
    Cp-Wrap[4183]: CP-Wrapper terminated without error
    Cp-Wrap[4188]: Pushing "32059 DBCACHE" to '/usr/local/cpanel/bin/mysqladmin' for UID: 32059
    Cp-Wrap[4188]: CP-Wrapper terminated without error
    ---------------------- Connections (secure-log) End -------------------------
    --------------------- SSHD Begin ------------------------
    Failed logins from these:
    apache/password from ::ffff:195.138.83.32: 6 Time(s)
    cpanel/password from ::ffff:195.138.83.32: 8 Time(s)
    daemon/password from ::ffff:195.138.83.32: 12 Time(s)
    games/password from ::ffff:195.138.83.32: 14 Time(s)
    mail/password from ::ffff:195.138.83.32: 8 Time(s)
    mailman/password from ::ffff:195.138.83.32: 12 Time(s)
    mysql/password from ::ffff:195.138.83.32: 26 Time(s)
    news/password from ::ffff:195.138.83.32: 16 Time(s)
    root/password from ::ffff:195.138.83.32: 1037 Time(s)
    root/password from ::ffff:58.211.78.204: 3 Time(s)
    rpm/password from ::ffff:195.138.83.32: 6 Time(s)
    Users logging in through sshd:
    root:
    dsl.staticx2.ttnet.net.tr (x): 1 time
    Received disconnect:
    11: Bye Bye
    ::ffff:195.138.83.32 : 1415 Time(s)
    ::ffff:58.211.78.204 : 9 Time(s)
    SFTP subsystem requests: 1 Time(s)
    **Unmatched Entries**
    Invalid user nagios from ::ffff:195.138.83.32
    input_userauth_request: invalid user nagios
    Failed password for invalid user nagios from ::ffff:195.138.83.32 port 54003 ssh2
    Invalid user test from ::ffff:58.211.78.204
    input_userauth_request: invalid user test
    Failed password for invalid user test from ::ffff:58.211.78.204 port 34536 ssh2
    Invalid user guest from ::ffff:58.211.78.204
    input_userauth_request: invalid user guest
    Failed password for invalid user guest from ::ffff:58.211.78.204 port 34665 ssh2
    Invalid user admin from ::ffff:58.211.78.204
    input_userauth_request: invalid user admin
    Failed password for invalid user admin from ::ffff:58.211.78.204 port 34793 ssh2
    Invalid user admin from ::ffff:58.211.78.204
    ******burası sürüp gidiyor çok var****
    ---------------------- SSHD End -------------------------
    bu ne anlama geliyor? bilen varmı internette araştırdım ssh login attacks gibi şeylere ulaştım ama tam bilgisi olan varmı?
  • 17-05-2008, 00:45:27
    #2
    Eposta Aktivasyonu Gerekmekte
    brute force yani deneme yanılma yontemi ile bir wordlist ile ssh'iniz saldiri aliyor.
    root passwordunuz karısık karekterlerden yapmanızı tavsiye ederim.Bu sekilde brute force ile sifre ele gecirilmesi zorlasir. Saldirgan da saldiriyi kısa surede kesebilir.
  • 17-05-2008, 00:52:30
    #3
    sunucuoptimizasyon.com
    yada ssh portunu değiştirin değiştirmeden önce firewallınız varsa port açmayı unutmayın
  • 17-05-2008, 09:56:23
    #4
    ortalama 2 haftadır geliyor bu mailler teşekkürler arkadaşlar önlemimi alayım
    birde bu ip lere ban atamazmıyım
  • 17-05-2008, 14:17:38
    #5
    Kurumsal Üye
    ipleri banlaman çözüm olmaz bu botlar epey bir fazla bizim sunucularda da görüyorum loglarını.
    en iyi yapacağın şey ssh port değiştirmek olur.
  • 18-05-2008, 08:49:01
    #6
    teşekkürler arkadaşlar
  • 22-05-2008, 23:32:22
    #7
    BFD veya LFD kurabilirsiniz.
  • 12-05-2009, 23:59:25
    #8
    "SSH Keys" kullanmakta bir çözüm zannediyorum
  • 13-05-2009, 01:22:26
    #9
    csf kurarsan bu deneme yapan ip'ler otomatik olarak banlanacaktır.