The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security run output - question

Discussion in 'Security' started by Cystrix, Feb 24, 2005.

  1. Cystrix

    Cystrix Member

    Joined:
    Sep 11, 2003
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Not sure where to post this, but it is to do with WHM!

    Recently we have been getting a load of failed login attempts in the security run email, but today i noticed that not only are they failing for root,toor,mysql,www,operator,daemon,smmsp but there are account usernames as well!

    They come from differnet ips and on differnet ports.

    Does this mean that someone has got into our server, or is there any other way to get the account names?

    ### Extract from security run output ###
    Feb 24 10:06:21 vulcan sshd[49190]: Failed password for mysql from 67.19.25.218 port 34671 ssh2
    Feb 24 10:06:26 vulcan sshd[49213]: Failed password for mysql from 67.19.25.218 port 35354 ssh2
    Feb 24 10:06:26 vulcan sshd[49217]: Failed password for mysql from 67.19.25.218 port 35399 ssh2
    Feb 24 10:06:57 vulcan sshd[49428]: Failed password for mysql from 67.19.25.218 port 40308 ssh2
    Feb 24 10:09:40 vulcan sshd[50578]: Failed password for toor from 67.19.25.218 port 38269 ssh2
    Feb 24 10:09:52 vulcan sshd[50668]: Failed password for toor from 67.19.25.218 port 41041 ssh2
    Feb 24 10:09:59 vulcan sshd[50721]: Failed password for toor from 67.19.25.218 port 42337 ssh2
    Feb 24 10:10:32 vulcan sshd[50977]: Failed password for toor from 67.19.25.218 port 49421 ssh2
     
  2. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    It means someone is scanning your server and trying ways to get in. Look for an intrusion detection system like Snort or Brute Force Detector and install it. Make sure you have a good firewall running. Try adding offending IP addresses to your iptables using the following command:
    Code:
    iptables -I INPUT -s 25.55.55.55 -j DROP
    This will make your server drop all connections from the IP and stop the scans/attacks. But get used to seeing those messages. They are a regular part of server administration, and becoming more and more (and MORE) frequent. GL! :)
     
Loading...

Share This Page