Incorrect log entries?

This is a discussion on Incorrect log entries? within the Linux Security forums, part of the System Security and Security Related category; Like everybody I have a million of those braindead brute force ssh attacks towards my machine, so normally I don'...


Go Back   Usenet Forums > System Security and Security Related > Linux Security

Reload this Page Incorrect log entries?

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 11-22-2005
wahlis
 
Posts: n/a
Default Incorrect log entries?
Like everybody I have a million of those braindead brute force ssh
attacks towards my machine, so normally I don't care about this type of
errors. But to me the log entry below caught my attention.

Nov 21 18:53:31 server sshd[9798]: warning: /etc/hosts.allow, line 14:
host name/name mismatch: unknown.Level3.net != www.Level3.com
Nov 21 18:53:32 server sshd[9798]: Address 63.211.110.162 maps to
unknown.level3.net, but this does not map back to the address -
POSSIBLE BREAKIN ATTEMPT!
Nov 21 18:53:32 server sshd[9798]: Failed password for root from
63.211.110.162 port 36670 ssh2
Nov 21 18:53:32 server sshd[9799]: Failed password for root from
63.211.110.162 port 36670 ssh2

On line 14 in hosts.allow there is the entry ALL: [my.private.server]

Does the log entry say that it tried to reverse lookup to find a match
against line 14 but broke down, or is this some new hack to bypass
tcpwrappers?

/F

Reply With Quote
  #2 (permalink)  
Old 11-22-2005
John Wingate
 
Posts: n/a
Default Re: Incorrect log entries?
wahlis <wahlis@gmail.com> wrote:
> Like everybody I have a million of those braindead brute force ssh
> attacks towards my machine, so normally I don't care about this type of
> errors. But to me the log entry below caught my attention.
>
> Nov 21 18:53:31 server sshd[9798]: warning: /etc/hosts.allow, line 14:
> host name/name mismatch: unknown.Level3.net != www.Level3.com
> Nov 21 18:53:32 server sshd[9798]: Address 63.211.110.162 maps to
> unknown.level3.net, but this does not map back to the address -
> POSSIBLE BREAKIN ATTEMPT!
> Nov 21 18:53:32 server sshd[9798]: Failed password for root from
> 63.211.110.162 port 36670 ssh2
> Nov 21 18:53:32 server sshd[9799]: Failed password for root from
> 63.211.110.162 port 36670 ssh2
>
> On line 14 in hosts.allow there is the entry ALL: [my.private.server]
>
> Does the log entry say that it tried to reverse lookup to find a match
> against line 14 but broke down, or is this some new hack to bypass
> tcpwrappers?

You are seeing a reverse lookup failure. Dig suggests misconfigured
DNS records:

162.110.211.63.in-addr.arpa. 1H IN PTR unknown.Level3.net.
unknown.Level3.net. 1H IN CNAME www.Level3.com.
www.Level3.com. 1H IN A 4.68.95.10

I have no idea what 63.211.110.162 is now, but it refuses connections
on port 80, so probably is not a web server. :)

--
John Wingate Mathematics is the art which teaches
johnww@worldpath.net one how not to make calculations.
--Oscar Chisini
Reply With Quote
Reply

« Previous Thread | Next Thread »

Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 10:04 PM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0