Re: [logs] Request for red hat linux 9 logs

• Previous message: Daniele Muscetta: "Re: [logs] Retrieving logs from Windows server"
• In reply to: S K: "[logs] Request for red hat linux 9 logs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

> i have tried to use nmap in RH9 but it didn't give rise to any logging
> by the system unless explicit options were specified at the shell
> prompt. 

This is linux, where you expecting an ISA like interface?

> Is there a way of ensuring that any nmap command directed at a
> particular is logged?Can any other utility be used to effect the
> same?Are there RH9 logs available which have footprints of the attacks
> mentioned above?

iptables -t filter -I INPUT -j LOG

Of course there are other options to iptables that you should really
read up on, but that will essentially log every packet that is destined
for you linux box to the location /var/log/messages (I am assuming a
default redhat kernel with netfilter enabled).


> I request you to please send any such log files.This is an academic
> project and the logs won't be misused in any way.Anonymizing the IP
> addresses will also do.

The IP addresses below are from the attacker, I could care less if
anyone knows ;~)

<SNIPPET OF SSH ATTACK>
Jan 25 17:21:26 hope sshd[17510]: Did not receive identification string from 61.246.206.27
Jan 25 17:33:03 hope sshd(pam_unix)[17512]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.246.206.27  user=nobody
Jan 25 17:33:05 hope sshd[17512]: Failed password for nobody from 61.246.206.27 port 45531 ssh2
Jan 25 17:33:10 hope sshd[17515]: Invalid user patrick from 61.246.206.27
Jan 25 17:33:10 hope sshd(pam_unix)[17515]: check pass; user unknown
Jan 25 17:33:10 hope sshd(pam_unix)[17515]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.246.206.27 
Jan 25 17:33:12 hope sshd[17515]: Failed password for invalid user patrick from 61.246.206.27 port 45610 ssh2
Jan 25 17:33:17 hope sshd[17518]: Invalid user patrick from 61.246.206.27
Jan 25 17:33:17 hope sshd(pam_unix)[17518]: check pass; user unknown
Jan 25 17:33:17 hope sshd(pam_unix)[17518]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.246.206.27 
Jan 25 17:33:20 hope sshd[17518]: Failed password for invalid user patrick from 61.246.206.27 port 45673 ssh2
Jan 25 17:33:29 hope sshd(pam_unix)[17521]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.246.206.27  user=root
Jan 25 17:33:32 hope sshd[17521]: Failed password for root from 61.246.206.27 port 45730 ssh2
Jan 25 20:53:51 hope sshd[17560]: Did not receive identification string from 216.27.72.182
Jan 25 21:05:51 hope sshd(pam_unix)[17562]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.27.72.182  user=nobody
Jan 25 21:05:53 hope sshd[17562]: Failed password for nobody from 216.27.72.182 port 51941 ssh2
Jan 25 21:05:54 hope sshd[17565]: Invalid user patrick from 216.27.72.182
Jan 25 21:05:54 hope sshd(pam_unix)[17565]: check pass; user unknown
Jan 25 21:05:54 hope sshd(pam_unix)[17565]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.27.72.182 
Jan 25 21:05:56 hope sshd[17565]: Failed password for invalid user patrick from 216.27.72.182 port 52057 ssh2
Jan 25 21:05:57 hope sshd[17568]: Invalid user patrick from 216.27.72.182
Jan 25 21:05:57 hope sshd(pam_unix)[17568]: check pass; user unknown
Jan 25 21:05:57 hope sshd(pam_unix)[17568]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.27.72.182 
Jan 25 21:05:59 hope sshd[17568]: Failed password for invalid user patrick from 216.27.72.182 port 52151 ssh2
Jan 25 21:06:00 hope sshd(pam_unix)[17571]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.27.72.182  user=root
Jan 25 21:06:02 hope sshd[17571]: Failed password for root from 216.27.72.182 port 52251 ssh2
Jan 25 21:06:03 hope sshd(pam_unix)[17574]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.27.72.182  user=root
Jan 25 21:06:05 hope sshd[17574]: Failed password for root from 216.27.72.182 port 52349 ssh2
Jan 25 21:06:06 hope sshd(pam_unix)[17577]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.27.72.182  user=root
Jan 25 21:06:08 hope sshd[17577]: Failed password for root from 216.27.72.182 port 52446 ssh2
Jan 25 21:06:09 hope sshd(pam_unix)[17580]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.27.72.182  user=root
Jan 25 21:06:11 hope sshd[17580]: Failed password for root from 216.27.72.182 port 52535 ssh2
Jan 25 21:06:12 hope sshd(pam_unix)[17583]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.27.72.182  user=root
Jan 25 21:06:14 hope sshd[17583]: Failed password for root from 216.27.72.182 port 52622 ssh2
Jan 25 21:06:15 hope sshd[17586]: Invalid user rolo from 216.27.72.182
Jan 25 21:06:15 hope sshd(pam_unix)[17586]: check pass; user unknown
Jan 25 21:06:15 hope sshd(pam_unix)[17586]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.27.72.182 
Jan 25 21:06:17 hope sshd[17586]: Failed password for invalid user rolo from 216.27.72.182 port 52706 ssh2
Jan 25 21:06:18 hope sshd[17589]: Invalid user iceuser from 216.27.72.182
Jan 25 21:06:18 hope sshd(pam_unix)[17589]: check pass; user unknown
Jan 25 21:06:18 hope sshd(pam_unix)[17589]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.27.72.182 
Jan 25 21:06:20 hope sshd[17589]: Failed password for invalid user iceuser from 216.27.72.182 port 52789 ssh2
Jan 25 21:06:21 hope sshd[17592]: Invalid user horde from 216.27.72.182
Jan 25 21:06:21 hope sshd(pam_unix)[17592]: check pass; user unknown
Jan 25 21:06:21 hope sshd(pam_unix)[17592]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.27.72.182 
Jan 25 21:06:23 hope sshd[17592]: Failed password for invalid user horde from 216.27.72.182 port 52873 ssh2
Jan 25 21:06:24 hope sshd(pam_unix)[17595]: check pass; user unknown
Jan 25 21:06:24 hope sshd(pam_unix)[17595]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.27.72.182 
Jan 25 21:06:26 hope sshd[17595]: Failed password for cyrus from 216.27.72.182 port 52963 ssh2
Jan 25 21:06:27 hope sshd[17598]: Invalid user www from 216.27.72.182
Jan 25 21:06:27 hope sshd(pam_unix)[17598]: check pass; user unknown
Jan 25 21:06:27 hope sshd(pam_unix)[17598]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.27.72.182 
Jan 25 21:06:29 hope sshd[17598]: Failed password for invalid user www from 216.27.72.182 port 53053 ssh2
Jan 25 21:06:30 hope sshd[17601]: Invalid user wwwrun from 216.27.72.182
Jan 25 21:06:30 hope sshd(pam_unix)[17601]: check pass; user unknown
Jan 25 21:06:30 hope sshd(pam_unix)[17601]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.27.72.182 
Jan 25 21:06:32 hope sshd[17601]: Failed password for invalid user wwwrun from 216.27.72.182 port 53142 ssh2
Jan 25 21:06:33 hope sshd[17604]: Invalid user matt from 216.27.72.182
Jan 25 21:06:33 hope sshd(pam_unix)[17604]: check pass; user unknown
Jan 25 21:06:33 hope sshd(pam_unix)[17604]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.27.72.182 
Jan 25 21:06:36 hope sshd[17604]: Failed password for invalid user matt from 216.27.72.182 port 53235 ssh2
Jan 25 21:06:36 hope sshd[17607]: Invalid user test from 216.27.72.182
Jan 25 21:06:36 hope sshd(pam_unix)[17607]: check pass; user unknown
Jan 25 21:06:36 hope sshd(pam_unix)[17607]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.27.72.182 
Jan 25 21:06:39 hope sshd[17607]: Failed password for invalid user test from 216.27.72.182 port 53335 ssh2
Jan 25 21:06:39 hope sshd[17610]: Invalid user test from 216.27.72.182
Jan 25 21:06:39 hope sshd(pam_unix)[17610]: check pass; user unknown
Jan 25 21:06:39 hope sshd(pam_unix)[17610]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.27.72.182 
Jan 25 21:06:42 hope sshd[17610]: Failed password for invalid user test from 216.27.72.182 port 53423 ssh2
Jan 25 21:06:42 hope sshd[17613]: Invalid user test from 216.27.72.182
Jan 25 21:06:42 hope sshd(pam_unix)[17613]: check pass; user unknown
Jan 25 21:06:42 hope sshd(pam_unix)[17613]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.27.72.182 
Jan 25 21:06:45 hope sshd[17613]: Failed password for invalid user test from 216.27.72.182 port 53517 ssh2
Jan 25 21:06:45 hope sshd[17616]: Invalid user test from 216.27.72.182
Jan 25 21:06:45 hope sshd(pam_unix)[17616]: check pass; user unknown
Jan 25 21:06:45 hope sshd(pam_unix)[17616]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.27.72.182 
Jan 25 21:06:48 hope sshd[17616]: Failed password for invalid user test from 216.27.72.182 port 53608 ssh2
Jan 25 21:06:48 hope sshd[17619]: Invalid user www-data from 216.27.72.182
Jan 25 21:06:48 hope sshd(pam_unix)[17619]: check pass; user unknown
Jan 25 21:06:48 hope sshd(pam_unix)[17619]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.27.72.182 
Jan 25 21:06:51 hope sshd[17619]: Failed password for invalid user www-data from 216.27.72.182 port 53699 ssh2
Jan 25 21:06:51 hope sshd(pam_unix)[17622]: check pass; user unknown
Jan 25 21:06:51 hope sshd(pam_unix)[17622]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.27.72.182 
Jan 25 21:06:54 hope sshd[17622]: Failed password for mysql from 216.27.72.182 port 53788 ssh2
Jan 25 21:06:54 hope sshd(pam_unix)[17625]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.27.72.182  user=operator
Jan 25 21:06:57 hope sshd[17625]: Failed password for operator from 216.27.72.182 port 53890 ssh2
Jan 25 21:06:57 hope sshd(pam_unix)[17628]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.27.72.182  user=adm
Jan 25 21:07:00 hope sshd[17628]: Failed password for adm from 216.27.72.182 port 53985 ssh2
Jan 25 21:07:00 hope sshd(pam_unix)[17631]: check pass; user unknown
Jan 25 21:07:00 hope sshd(pam_unix)[17631]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.27.72.182 
Jan 25 21:07:03 hope sshd[17631]: Failed password for apache from 216.27.72.182 port 54078 ssh2
Jan 25 21:07:03 hope sshd[17634]: Invalid user irc from 216.27.72.182
Jan 25 21:07:03 hope sshd(pam_unix)[17634]: check pass; user unknown
Jan 25 21:07:03 hope sshd(pam_unix)[17634]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.27.72.182 
Jan 25 21:07:06 hope sshd[17634]: Failed password for invalid user irc from 216.27.72.182 port 54164 ssh2
Jan 25 21:07:07 hope sshd[17637]: Invalid user irc from 216.27.72.182
Jan 25 21:07:07 hope sshd(pam_unix)[17637]: check pass; user unknown
Jan 25 21:07:07 hope sshd(pam_unix)[17637]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.27.72.182 
Jan 25 21:07:09 hope sshd[17637]: Failed password for invalid user irc from 216.27.72.182 port 54251 ssh2
Jan 25 21:07:10 hope sshd(pam_unix)[17640]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.27.72.182  user=adm
Jan 25 21:07:12 hope sshd[17640]: Failed password for adm from 216.27.72.182 port 54334 ssh2
Jan 25 21:07:13 hope sshd(pam_unix)[17643]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.27.72.182  user=root
Jan 25 21:07:15 hope sshd[17643]: Failed password for root from 216.27.72.182 port 54418 ssh2
Jan 25 21:07:16 hope sshd(pam_unix)[17646]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.27.72.182  user=root
Jan 25 21:07:18 hope sshd[17646]: Failed password for root from 216.27.72.182 port 54499 ssh2
Jan 25 21:07:19 hope sshd(pam_unix)[17649]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.27.72.182  user=root
Jan 25 21:07:21 hope sshd[17649]: Failed password for root from 216.27.72.182 port 54573 ssh2
Jan 25 21:07:22 hope sshd[17652]: Invalid user jane from 216.27.72.182
Jan 25 21:07:22 hope sshd(pam_unix)[17652]: check pass; user unknown
Jan 25 21:07:22 hope sshd(pam_unix)[17652]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.27.72.182 
Jan 25 21:07:24 hope sshd[17652]: Failed password for invalid user jane from 216.27.72.182 port 54658 ssh2
Jan 25 21:07:25 hope sshd[17655]: Invalid user pamela from 216.27.72.182
Jan 25 21:07:25 hope sshd(pam_unix)[17655]: check pass; user unknown
Jan 25 21:07:25 hope sshd(pam_unix)[17655]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.27.72.182 
Jan 25 21:07:27 hope sshd[17655]: Failed password for invalid user pamela from 216.27.72.182 port 54748 ssh2
Jan 25 21:07:28 hope sshd(pam_unix)[17658]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.27.72.182  user=root
Jan 25 21:07:30 hope sshd[17658]: Failed password for root from 216.27.72.182 port 54838 ssh2
Jan 25 21:07:31 hope sshd(pam_unix)[17661]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.27.72.182  user=root
Jan 25 21:07:33 hope sshd[17661]: Failed password for root from 216.27.72.182 port 54935 ssh2
Jan 25 21:07:34 hope sshd(pam_unix)[17664]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.27.72.182  user=root
Jan 25 21:07:36 hope sshd[17664]: Failed password for root from 216.27.72.182 port 55029 ssh2
Jan 25 21:07:37 hope sshd(pam_unix)[17667]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.27.72.182  user=root
Jan 25 21:07:39 hope sshd[17667]: Failed password for root from 216.27.72.182 port 55130 ssh2
Jan 25 21:07:40 hope sshd(pam_unix)[17670]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.27.72.182  user=root
Jan 25 21:07:42 hope sshd[17670]: Failed password for root from 216.27.72.182 port 55230 ssh2
Jan 25 21:07:43 hope sshd[17673]: Invalid user cosmin from 216.27.72.182
Jan 25 21:07:43 hope sshd(pam_unix)[17673]: check pass; user unknown
Jan 25 21:07:43 hope sshd(pam_unix)[17673]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.27.72.182 
Jan 25 21:07:45 hope sshd[17673]: Failed password for invalid user cosmin from 216.27.72.182 port 55334 ssh2
Jan 25 21:07:46 hope sshd(pam_unix)[17676]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.27.72.182  user=root
Jan 25 21:07:48 hope sshd[17676]: Failed password for root from 216.27.72.182 port 55437 ssh2
Jan 25 21:07:49 hope sshd(pam_unix)[17679]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.27.72.182  user=root
Jan 25 21:07:51 hope sshd[17679]: Failed password for root from 216.27.72.182 port 55545 ssh2
Jan 25 21:07:52 hope sshd(pam_unix)[17682]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.27.72.182  user=root
Jan 25 21:07:54 hope sshd[17682]: Failed password for root from 216.27.72.182 port 55651 ssh2
</SNIPPET>



> 
> Yours sincerely,
> Sujit.  
> 
> 
> 
> 
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis@private
> http://lists.shmoo.com/mailman/listinfo/loganalysis

_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Previous message: Daniele Muscetta: "Re: [logs] Retrieving logs from Windows server"
• In reply to: S K: "[logs] Request for red hat linux 9 logs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Thu Jan 27 2005 - 14:38:23 PST