Should I ban this ip? (secure log)

novice07

Member
Mar 29, 2008
8
0
51
I have the same problem.

Apr 6 04:29:20 server xinetd[3030]: START: auth pid=9974 from=148.160.16.68
Since this is not our ip.Is someone gaining access and hacking in to the server?
I'm not much of an expert with xinetd.

Normaly we wold get
Apr 6 05:03:01 server xinetd[3030]: START: auth pid=12394 from=127.0.0.1


Is someone from outside our server running a proccess?
 

nyjimbo

Well-Known Member
Jan 25, 2003
1,135
1
168
New York
Should I ban this ip? (secure log)

#secure logs
Sep 29 12:08:52 server xinetd[24892]: START: imap pid=21310 from=210.137.108.3


Thank You
Isn't this just someone using an imap client thats not on your server ?
 

novice07

Member
Mar 29, 2008
8
0
51
I'm sorry but I have searched on the forum before posting and this is the only post I have found regarding my problem.
I'm worried that some one is authetificating from outside my server and it's not my clients.


I check the ips with a whois tool, they originate from outside my country.The problem is that I do not offer international hosting, All the people that I host are from my city.

This is just today, there are always 2 or 3 ips per day originating from all across europe, this led me to beilive that some one is using a poxy list to get in.

I had a blog on my site for support and now it's full of spam.I checked my logs and some one is trying to brake in via ssh by brute force, each time he is blocked after trying 3 times. That does not stop this person from trying with a diferent ip.I have disabled ssh V.1
, disabled telnet, changed the port and the ip for ssh but now I'm afraid that he has found a way to get in.

This is what I get in my log.This are ips that are not even from my country.
Apr 6 04:29:20 server xinetd[3030]: START: auth pid=9974 from=148.160.16.68
Apr 6 04:43:28 server xinetd[3030]: START: auth pid=11017 from=193.226.125.9
Apr 6 17:27:49 server xinetd[19048]: START: auth pid=2170 from=65.19.147.89
Apr 6 18:28:06 server xinetd[19048]: START: auth pid=6495 from=212.160.225.3

What does this mean?
 
Last edited: