[CentOS] authentication failure

Sat Jan 23 17:20:01 UTC 2010
Athmane Madjoudj <athmanem at gmail.com>

On Sat, Jan 23, 2010 at 6:14 PM, madunix <madunix at gmail.com> wrote:
> I noticed that my server has a lot ca. 1000x auth failure from
> different alocated in China / Romania and Netherlands per day since 3
> days
> It looks to me like somebody was trying to get into server by guessing
> my password by brute force.
> what would be the best to stop this attack and how? the server running
> apache mysql and ftp
> PORT     STATE SERVICE
> 21/tcp   open  ftp
> 80/tcp   open  http
> 443/tcp  open  https
> 3306/tcp open  mysql
> ...
> Jan 22 16:07:14 user vsftpd(pam_unix)[17462]: authentication failure;
> logname= uid=0 euid=0 tty= ruser= rhost=195.95.228.150
> Jan 22 16:07:16 user vsftpd(pam_unix)[16737]: check pass; user unknown
> Jan 22 16:07:16 user vsftpd(pam_unix)[16737]: authentication failure;
> logname= uid=0 euid=0 tty= ruser= rhost=195.95.228.150
> Jan 22 16:07:17 user vsftpd(pam_unix)[17462]: check pass; user unknown
> Jan 23 17:23:52 user vsftpd(pam_unix)[20524]: authentication failure;
> logname= uid=0 euid=0 tty= ruser= rhost=221.7.40.47
> Jan 23 17:23:55 user vsftpd(pam_unix)[20524]: check pass; user unknown
> Jan 23 17:23:55 user vsftpd(pam_unix)[20524]: authentication failure;
> logname= uid=0 euid=0 tty= ruser= rhost=221.7.40.47
> Jan 23 17:23:59 user vsftpd(pam_unix)[20524]: check pass; user unknown
> Jan 23 17:24:58 user vsftpd(pam_unix)[20524]: authentication failure;
> logname= uid=0 euid=0 tty= ruser= rhost=221.7.40.47
> Jan 23 00:37:47 user vsftpd(pam_unix)[1791]: check pass; user unknown
> Jan 23 00:37:47 user vsftpd(pam_unix)[1791]: authentication failure;
> logname= uid=0 euid=0 tty= ruser= rhost=217.23.14.168
> Jan 23 00:38:06 user vsftpd(pam_unix)[1791]: check pass; user unknown
> Jan 23 00:38:06 user vsftpd(pam_unix)[1791]: authentication failure;
> logname= uid=0 euid=0 tty= ruser= rhost=217.23.14.168
> ...
>
> Thanks
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

Maybe a brute force attack, try to install a HIDS like:

APF/BFD: http://www.rfxn.com/projects/advanced-policy-firewall/
                http://www.rfxn.com/projects/brute-force-detection/

Fail2ban: http://www.fail2ban.org/

Fail2ban is available in EPEL repos.

HTH
-- 
Athmane Madjoudj