wallyk - Developer IT

repeated failing passwords in linux security log (/var/log/secure)

- by wallyk

Recently, I opened up the SSH port through my firewalls (and redirecting to my server) so I could check on the (http) server while on the road. The first week or two there was nothing different. But now, three or four weeks later, I see lots of this: Mar 20 08:38:28 localhost sshd[21895]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=mail.queued.net user=root Mar 20 08:38:31 localhost sshd[21895]: Failed password for root from 207.210.101.209 port 2854 ssh2 Mar 20 15:38:31 localhost sshd[21896]: Received disconnect from 207.210.101.209: 11: Bye Bye Mar 20 08:38:32 localhost unix_chkpwd[21900]: password check failed for user (root) Mar 20 08:38:32 localhost sshd[21898]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=mail.queued.net user=root Mar 20 08:38:34 localhost sshd[21898]: Failed password for root from 207.210.101.209 port 3729 ssh2 Mar 20 15:38:35 localhost sshd[21899]: Received disconnect from 207.210.101.209: 11: Bye Bye Mar 20 08:38:36 localhost unix_chkpwd[21903]: password check failed for user (root) Mar 20 08:38:36 localhost sshd[21901]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=mail.queued.net user=root Mar 20 08:38:38 localhost sshd[21901]: Failed password for root from 207.210.101.209 port 4313 ssh2 Mar 20 15:38:38 localhost sshd[21902]: Received disconnect from 207.210.101.209: 11: Bye Bye Mar 20 08:38:40 localhost unix_chkpwd[21906]: password check failed for user (root) Mar 20 08:38:40 localhost sshd[21904]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=mail.queued.net user=root Mar 20 08:38:42 localhost sshd[21904]: Failed password for root from 207.210.101.209 port 4869 ssh2 Mar 20 15:38:43 localhost sshd[21905]: Received disconnect from 207.210.101.209: 11: Bye Bye Mar 20 08:38:44 localhost unix_chkpwd[21909]: password check failed for user (root) Mar 20 08:38:44 localhost sshd[21907]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=mail.queued.net user=root Mar 20 08:38:46 localhost sshd[21907]: Failed password for root from 207.210.101.209 port 2512 ssh2 Mar 20 15:38:47 localhost sshd[21908]: Received disconnect from 207.210.101.209: 11: Bye Bye Mar 20 15:38:57 localhost sshd[21912]: Connection closed by 207.210.101.209 There are about 1100 lines of these for March 20th, zero for the 19th, and 800 or so for the 18th—all related to the same IP. What does it mean? What should I do? Why isn't it chronological?

Read the article

apache mod_rewrite rule in httpd.conf for modifying some paths, but not others

- by wallyk

I'm having quite a challenge creating an appropriate rewrite rule for Apache/2.2.14 on Fedora 10. I'm working through the CodeIgniter-Doctrine tutorial which uses an .htaccess file. (Search for Removing “index.php” from CodeIgniter urls about 10% down.) But since that's not recommended for a production server, I'm trying to tweak it to work in /etc/httpd/conf/httpd.conf. <VirtualHost *:80> ServerName ci_doctrine DocumentRoot /var/www/html/ci_doctrine ErrorLog /var/log/httpd/cid-error_log CustomLog /var/log/httpd/cid-access_log common <IfModule mod_rewrite.c> RewriteEngine on RewriteLog /var/log/httpd/cid_rewrite RewriteLogLevel 9 # RewriteCond ^/css/style.css$ (these have bad syntax, but that's beside the point) # RewriteRule ^/css/style.css$ /css/style.css [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^(.*)$ /index.php/$1 [L] </IfModule> <IfModule !mod_rewrite.c> ErrorDocument 404 /ci_doctrine/index.php </IfModule> </VirtualHost> It seems like the tutorial .htaccess rules properly test for existing files and then not alter the URL in such cases, but the rewrite log says that the conditions are true (that is, the file does not exist) even though it's there. 127.0.0.1 - - [03/May/2010:23:26:56 --0700] [ci_doctrine/sid#13c1868][rid#167e8e0/initial] (2) init rewrite engine with requested uri /login 127.0.0.1 - - [03/May/2010:23:26:56 --0700] [ci_doctrine/sid#13c1868][rid#167e8e0/initial] (3) applying pattern '^(.*)$' to uri '/login' 127.0.0.1 - - [03/May/2010:23:26:56 --0700] [ci_doctrine/sid#13c1868][rid#167e8e0/initial] (4) RewriteCond: input='/login' pattern='!-f' => matched 127.0.0.1 - - [03/May/2010:23:26:56 --0700] [ci_doctrine/sid#13c1868][rid#167e8e0/initial] (4) RewriteCond: input='/login' pattern='!-d' => matched 127.0.0.1 - - [03/May/2010:23:26:56 --0700] [ci_doctrine/sid#13c1868][rid#167e8e0/initial] (2) rewrite '/login' -> '/index.php//login' 127.0.0.1 - - [03/May/2010:23:26:56 --0700] [ci_doctrine/sid#13c1868][rid#167e8e0/initial] (2) local path result: /index.php//login 127.0.0.1 - - [03/May/2010:23:26:56 --0700] [ci_doctrine/sid#13c1868][rid#167e8e0/initial] (2) prefixed with document_root to /var/www/html/ci_doctrine/index.php/login 127.0.0.1 - - [03/May/2010:23:26:56 --0700] [ci_doctrine/sid#13c1868][rid#167e8e0/initial] (1) go-ahead with /var/www/html/ci_doctrine/index.php/login [OK] 127.0.0.1 - - [03/May/2010:23:26:56 --0700] [ci_doctrine/sid#13c1868][rid#16848f8/subreq] (2) init rewrite engine with requested uri /login 127.0.0.1 - - [03/May/2010:23:26:56 --0700] [ci_doctrine/sid#13c1868][rid#16848f8/subreq] (3) applying pattern '^(.*)$' to uri '/login' 127.0.0.1 - - [03/May/2010:23:26:56 --0700] [ci_doctrine/sid#13c1868][rid#16848f8/subreq] (4) RewriteCond: input='/login' pattern='!-f' => matched 127.0.0.1 - - [03/May/2010:23:26:56 --0700] [ci_doctrine/sid#13c1868][rid#16848f8/subreq] (4) RewriteCond: input='/login' pattern='!-d' => matched 127.0.0.1 - - [03/May/2010:23:26:56 --0700] [ci_doctrine/sid#13c1868][rid#16848f8/subreq] (2) rewrite '/login' -> '/index.php//login' 127.0.0.1 - - [03/May/2010:23:26:56 --0700] [ci_doctrine/sid#13c1868][rid#16848f8/subreq] (2) local path result: /index.php//login 127.0.0.1 - - [03/May/2010:23:26:56 --0700] [ci_doctrine/sid#13c1868][rid#16848f8/subreq] (2) prefixed with document_root to /var/www/html/ci_doctrine/index.php/login 127.0.0.1 - - [03/May/2010:23:26:56 --0700] [ci_doctrine/sid#13c1868][rid#16848f8/subreq] (1) go-ahead with /var/www/html/ci_doctrine/index.php/login [OK] 127.0.0.1 - - [03/May/2010:23:26:58 --0700] [ci_doctrine/sid#13c1868][rid#167e8e0/initial] (2) init rewrite engine with requested uri /css/style.css 127.0.0.1 - - [03/May/2010:23:26:58 --0700] [ci_doctrine/sid#13c1868][rid#167e8e0/initial] (3) applying pattern '^(.*)$' to uri '/css/style.css' 127.0.0.1 - - [03/May/2010:23:26:58 --0700] [ci_doctrine/sid#13c1868][rid#167e8e0/initial] (4) RewriteCond: input='/css/style.css' pattern='!-f' => matched 127.0.0.1 - - [03/May/2010:23:26:58 --0700] [ci_doctrine/sid#13c1868][rid#167e8e0/initial] (4) RewriteCond: input='/css/style.css' pattern='!-d' => matched 127.0.0.1 - - [03/May/2010:23:26:58 --0700] [ci_doctrine/sid#13c1868][rid#167e8e0/initial] (2) rewrite '/css/style.css' -> '/index.php//css/style.css' 127.0.0.1 - - [03/May/2010:23:26:58 --0700] [ci_doctrine/sid#13c1868][rid#167e8e0/initial] (2) local path result: /index.php//css/style.css 127.0.0.1 - - [03/May/2010:23:26:58 --0700] [ci_doctrine/sid#13c1868][rid#167e8e0/initial] (2) prefixed with document_root to /var/www/html/ci_doctrine/index.php/css/style.css 127.0.0.1 - - [03/May/2010:23:26:58 --0700] [ci_doctrine/sid#13c1868][rid#167e8e0/initial] (1) go-ahead with /var/www/html/ci_doctrine/index.php/css/style.css [OK] 127.0.0.1 - - [03/May/2010:23:26:58 --0700] [ci_doctrine/sid#13c1868][rid#16848f8/subreq] (2) init rewrite engine with requested uri /css/style.css 127.0.0.1 - - [03/May/2010:23:26:58 --0700] [ci_doctrine/sid#13c1868][rid#16848f8/subreq] (3) applying pattern '^(.*)$' to uri '/css/style.css' 127.0.0.1 - - [03/May/2010:23:26:58 --0700] [ci_doctrine/sid#13c1868][rid#16848f8/subreq] (4) RewriteCond: input='/css/style.css' pattern='!-f' => matched 127.0.0.1 - - [03/May/2010:23:26:58 --0700] [ci_doctrine/sid#13c1868][rid#16848f8/subreq] (4) RewriteCond: input='/css/style.css' pattern='!-d' => matched 127.0.0.1 - - [03/May/2010:23:26:58 --0700] [ci_doctrine/sid#13c1868][rid#16848f8/subreq] (2) rewrite '/css/style.css' -> '/index.php//css/style.css' 127.0.0.1 - - [03/May/2010:23:26:58 --0700] [ci_doctrine/sid#13c1868][rid#16848f8/subreq] (2) local path result: /index.php//css/style.css 127.0.0.1 - - [03/May/2010:23:26:58 --0700] [ci_doctrine/sid#13c1868][rid#16848f8/subreq] (2) prefixed with document_root to /var/www/html/ci_doctrine/index.php/css/style.css 127.0.0.1 - - [03/May/2010:23:26:58 --0700] [ci_doctrine/sid#13c1868][rid#16848f8/subreq] (1) go-ahead with /var/www/html/ci_doctrine/index.php/css/style.css [OK] The file .../css/style.css was working properly before I started messing around with the rewrite rules, so it should be in the right place. But now the path is always munged up by the rewriting, though the virtual components below index.php are properly translated. What am I doing wrong?

Developer IT