Hi everyone,
I have some very strange information in my /var/log/secure:
find /var/log | xargs grep -i 62.149.129.73 2>/dev/null
/var/log/secure:Dec 13 21:32:38 baravalle xinetd[1219]: START: smtp
pid=26049 from=62.149.129.73
/var/log/secure:Dec 13 21:32:38 baravalle sshd[26048]: Did not receive
identification string from ::ffff:62.149.129.73
/var/log/secure:Dec 13 20:33:33 baravalle sshd[26059]: Failed none for
invalid user admin1000000 from ::ffff:62.149.129.73 port 3754 ssh2
/var/log/secure:Dec 13 21:33:42 baravalle sshd[26058]: Failed password
for invalid user admin1000000 from ::ffff:62.149.129.73 port 3754 ssh2
/var/log/secure:Dec 13 20:33:42 baravalle sshd[26059]: Failed password
for invalid user admin1000000 from ::ffff:62.149.129.73 port 3754 ssh2
Apparently someone tried to log in with a user name (I changed the
username here). I don't like the timestamps: 21:32:38, 20:33:33,
21:33:42, 20:33:42.
Why is that?
By the way, most probably the access has been done by my provider.
They are denying it, but there is overwhelming evidence: the username
used is the one that they gave me, which is the word admin and a
string of 7 digits. The username should be known just by me, my
business partner and my provider. The username was anyway invalid in
the system, because I had disabled SSH access from all users but the
ones in a group. Nevertheless, in their records, the provider had
another user name that I didn't disable (stupid me) because they did
some maintenance work not long ago. I can't see any access from the
correct user name since the last time I had authorised them to access
the server.
Anyone able to bring some light?
Andres