Hallo,
ich habe heute folgende Abuse mail von meinem Provider bekommen. Ich verstehe das log so, daß jemand von meinem Server aus versucht sich per ssh auf einem fremden Server anzumelden.
> Dear Sir/Madam,
>
> We have detected abuse from the IP address 80.241.214.159, which according to a whois lookup is on your network. We would appreciate if you would investigate and take action as appropriate.
>
> Log lines are given below, but please ask if you require any further information.
>
> (If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process. This mail was generated by Fail2Ban.)
>
> Note: Local timezone is +0200 (CEST)
> Sep 11 08:50:01 secgw sshd[31689]: Failed password for root from 80.241.214.159 port 53271 ssh2
> Sep 11 08:50:01 secgw sshd[31689]: Received disconnect from 80.241.214.159: 11: Bye Bye [preauth]
> Sep 11 08:50:05 secgw sshd[31691]: Failed password for root from 80.241.214.159 port 53439 ssh2
> Sep 11 08:50:05 secgw sshd[31691]: Received disconnect from 80.241.214.159: 11: Bye Bye [preauth]
> Sep 11 08:50:06 secgw sshd[31693]: Invalid user berton from 80.241.214.159
> Sep 11 08:50:07 secgw sshd[31693]: Failed password for invalid user berton from 80.241.214.159 port 53687 ssh2
Wie kann man feststellen was/wer dahinter steckt?
Gruß
Stefan
ich habe heute folgende Abuse mail von meinem Provider bekommen. Ich verstehe das log so, daß jemand von meinem Server aus versucht sich per ssh auf einem fremden Server anzumelden.
> Dear Sir/Madam,
>
> We have detected abuse from the IP address 80.241.214.159, which according to a whois lookup is on your network. We would appreciate if you would investigate and take action as appropriate.
>
> Log lines are given below, but please ask if you require any further information.
>
> (If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process. This mail was generated by Fail2Ban.)
>
> Note: Local timezone is +0200 (CEST)
> Sep 11 08:50:01 secgw sshd[31689]: Failed password for root from 80.241.214.159 port 53271 ssh2
> Sep 11 08:50:01 secgw sshd[31689]: Received disconnect from 80.241.214.159: 11: Bye Bye [preauth]
> Sep 11 08:50:05 secgw sshd[31691]: Failed password for root from 80.241.214.159 port 53439 ssh2
> Sep 11 08:50:05 secgw sshd[31691]: Received disconnect from 80.241.214.159: 11: Bye Bye [preauth]
> Sep 11 08:50:06 secgw sshd[31693]: Invalid user berton from 80.241.214.159
> Sep 11 08:50:07 secgw sshd[31693]: Failed password for invalid user berton from 80.241.214.159 port 53687 ssh2
Wie kann man feststellen was/wer dahinter steckt?
Gruß
Stefan