possible hacking attempt on root login?

Support for security such as Firewalls and securing linux
Post Reply
msam
Posts: 2
Joined: 2017/04/09 01:18:20
Location: Stockton CA
Contact:

possible hacking attempt on root login?

Post by msam » 2017/04/15 06:04:50

Good evening friends,

I am new to Centos 7, the minimal install went well with updates good to go. Its a smooth OS for Linux. Its a test server for training not production. I am very happy with it. My specific concern is yesterday I received a message after the morning power up and boot after logging into root login on the command line the message indicated "600 unsuccessful attempts to log in attempts." The server is behind a NAT router correctly configured and I am running httpd, ssh, and smb services successfully with good connections from outside on the public WAN. What type of program would have the capability to run that many log in attempts? I haven't seen any more indications of this problem for the rest of the day. I really don't see any indications of intrusions but my monitoring capabilities are limited to standard ss -t type commands on the system and looking at the devices connected to the router. I am just looking for some security suggestions and some ways to monitor the security better. The firewalld seems to be set correctly on the public zone with the correct ports and so forth. Any general security suggestions? The install was done with the minimum security profile.

thanks,

msam

lightman47
Posts: 1521
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Re: possible hacking attempt on root login?

Post by lightman47 » 2017/04/15 11:27:44

/var/log/secure shoud contain more info.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: possible hacking attempt on root login?

Post by TrevorH » 2017/04/15 16:01:46

There are many skript kiddies out on the internet who runs pre-written scripts that attempt to exploit vulnerabilities. One of the things that's often tested is an open port 22 (ssh) where they attempt to login with known usernames and easy to guess passwords and that generates a lot of log spam. Best practice on ssh is to generate and use a public/private key pair, install the public key in your user's .ssh directory with the correct permissions as "authorized_keys" and then test it. If it works, you can disable password based logins entirely which defeats those drive-by ssh attacks completely. You do still get the log noise however but it's now something you don't need to worry about. There is also a school of thought that says that moving the ssh daemon to a different port can help but that really just makes it slightly more difficult to find so the automated scripts don't use it. Anyone who you really need to concerned about breaking in will find out anyway.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

msam
Posts: 2
Joined: 2017/04/09 01:18:20
Location: Stockton CA
Contact:

Re: possible hacking attempt on root login?

Post by msam » 2017/04/15 22:09:19

Thank you very much for the feedback will proceed with both of your suggestions.

Thanks So muck.

msam

Post Reply