thanks Eric & Locutus for your suggestions …
using Webmin’s File Manager, I found there were files called “messages” and “secure” under var/log/ … but no file called “auth.log” …
Since the file logs seem to only go back 3 days, I will have to ask my clients to re-try their ftp failures once again.
However, I did come up with a lot evidence of what looks like hacking attempts. Since there is no specific forum on security issues, I will post some samples here, and ask what I might do for preventative measures.
Out of about ten thousand entry lines of var/log/secure, spanning only 3 days, about one-third of the entries seem to be some kind of port-scanning or ssh break-in attempts. Is this type of thing normal for servers? Do hackers just randomly choose servers and keep going at it? (what a creative way to spend your life!)
Here’s some samples of the entries. Is there any point in blocking IP’s (when they are likely spoofed), or, say, only allowing logins or SSH from IP’s that our own side might be using?
thanks for any comments or advice…
Gary
====================SAMPLES: VAR/LOG/SECURE====================
Jan 16 08:52:12 cd4502 sshd[6789]: Invalid user git from 8.20.136.233
Jan 16 08:52:12 cd4502 sshd[6792]: input_userauth_request: invalid user git
Jan 16 08:52:12 cd4502 sshd[6789]: pam_unix(sshd:auth): check pass; user unknown
Jan 16 08:52:12 cd4502 sshd[6789]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=8.20.136.233
Jan 16 08:52:12 cd4502 sshd[6789]: pam_succeed_if(sshd:auth): error retrieving information about user git
Jan 16 08:52:14 cd4502 sshd[6789]: Failed password for invalid user git from 8.20.136.233 port 33115 ssh2
Jan 16 08:52:14 cd4502 sshd[6792]: Received disconnect from 8.20.136.233: 11: Bye Bye
Jan 16 10:50:45 cd4502 sshd[16609]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.212.150.232 user=root
Jan 16 10:50:46 cd4502 sshd[16609]: Failed password for root from 210.212.150.232 port 42549 ssh2
Jan 16 10:50:47 cd4502 sshd[16612]: Received disconnect from 210.212.150.232: 11: Bye Bye
Jan 16 10:50:50 cd4502 sshd[16613]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.212.150.232 user=root
Jan 16 10:50:52 cd4502 sshd[16613]: Failed password for root from 210.212.150.232 port 42951 ssh2
Jan 16 10:50:53 cd4502 sshd[16616]: Received disconnect from 210.212.150.232: 11: Bye Bye
Jan 16 10:50:56 cd4502 sshd[16621]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.212.150.232 user=root
Jan 16 10:50:58 cd4502 sshd[16621]: Failed password for root from 210.212.150.232 port 43364 ssh2
Jan 16 10:50:58 cd4502 sshd[16624]: Received disconnect from 210.212.150.232: 11: Bye Bye
Jan 16 19:07:15 cd4502 sshd[27471]: reverse mapping checking getaddrinfo for 188-95-51-71.thefreevps.com failed - POSSIBLE BREAK-IN ATTEMPT!
Jan 16 19:07:15 cd4502 sshd[27471]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=188.95.51.71 user=root
Jan 16 19:07:16 cd4502 sshd[27471]: Failed password for root from 188.95.51.71 port 51258 ssh2
Jan 16 19:07:16 cd4502 sshd[27474]: Received disconnect from 188.95.51.71: 11: Bye Bye
POSSIBLE BREAK-IN ATTEMPT!
Jan 17 05:31:34 cd4502 sshd[17062]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=201.243.137.209 user=root
Jan 17 05:31:36 cd4502 sshd[17062]: Failed password for root from 201.243.137.209 port 2502 ssh2
Jan 17 05:31:36 cd4502 sshd[17065]: Received disconnect from 201.243.137.209: 11: Goodbye
Jan 17 05:31:44 cd4502 sshd[17066]: Address 201.243.137.209 maps to 201-243-137-209.dyn.dsl.cantv.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Jan 17 07:09:14 cd4502 proftpd[25811]: 208.78.241.87 (208.98.22.226[208.98.22.226]) - USER drudoman (Login failed): Incorrect password.
Jan 17 07:09:14 cd4502 proftpd[25811]: 208.78.241.87 (208.98.22.226[208.98.22.226]) - FTP session closed.
Jan 17 07:09:15 cd4502 proftpd[25812]: 208.78.241.87 (208.98.22.226[208.98.22.226]) - USER wwwdrudomancom: no such user found from 208.98.22.226 [208.98.22.226] to 208.78.241.87:21
Jan 17 07:09:15 cd4502 proftpd[25812]: 208.78.241.87 (208.98.22.226[208.98.22.226]) - FTP session closed.
Jan 17 07:09:15 cd4502 proftpd[25813]: 208.78.241.87 (208.98.22.226[208.98.22.226]) - USER www.drudoman.com: no such user found from 208.98.22.226 [208.98.22.226] to 208.78.241.87:21
Jan 17 07:09:17 cd4502 proftpd[25813]: 208.78.241.87 (208.98.22.226[208.98.22.226]) - FTP session closed.
Jan 17 07:09:18 cd4502 proftpd[25814]: 208.78.241.87 (208.98.22.226[208.98.22.226]) - USER drudomancom: no such user found from 208.98.22.226 [208.98.22.226] to 208.78.241.87:21
Jan 19 00:08:28 cd4502 sshd[20727]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=168-215-227-26.static.twtelecom.net user=root
Jan 19 00:08:30 cd4502 sshd[20727]: Failed password for root from 168.215.227.26 port 53843 ssh2
Jan 19 00:08:30 cd4502 sshd[20730]: Received disconnect from 168.215.227.26: 11: Bye Bye
Jan 19 00:08:31 cd4502 sshd[20731]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=www.hikinostudentnews.org user=root
Jan 16 06:33:09 cd4502 named[1538]: client 62.77.203.10#18132: query (cache) 'domain1.com/MX/IN' denied
Jan 16 06:33:10 cd4502 named[1538]: client 213.163.34.66#17362: query (cache) 'domain1.com/MX/IN' denied
Jan 16 06:33:10 cd4502 named[1538]: client 213.163.34.66#25850: query (cache) 'domain1.com/MX/IN' denied
Jan 16 06:33:10 cd4502 named[1538]: client 213.163.34.66#32643: query (cache) 'domain1.com/MX/IN' denied