Thread: Logwatch

    #1
  1. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2016
    Location
    Lakewood, WA
    Posts
    207
    Rep Power
    17

    Logwatch


    I run Logwatch because I like the reports (is there something better?) and I've been getting a lot of activity from:

    Code:
    http://245.116.184.35.bc.googleusercontent.com/
    googleusercontent.com is of course Google's CDN. What do you suppose this is? Can't be Google running a dictionary against my server...
    Last edited by Arty Zifferelli; September 16th, 2017 at 08:16 PM.
  2. #2
  3. Lazy Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    16,383
    Rep Power
    9645
    Can you tell what they're doing? Or trying to do? What are they accessing?
  4. #3
  5. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2016
    Location
    Lakewood, WA
    Posts
    207
    Rep Power
    17
    Mostly SSH login attempts:
    Code:
     Failed logins from:
        35.184.116.245 (245.116.184.35.bc.googleusercontent.com): 26 times
           root/password: 14 times
           apache/password: 2 times
           ftp/password: 2 times
           bin/password: 1 time
           daemon/password: 1 time
           games/password: 1 time
           mail/password: 1 time
           mysql/password: 1 time
           ntp/password: 1 time
           sshd/password: 1 time
           sync/password: 1 time
  6. #4
  7. Lazy Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    16,383
    Rep Power
    9645
    If you whois that IP address/hostname then you'll see a comment telling you to submit spam and abuse complaints to https://support.google.com/code/go/gce_abuse_report. Go ahead and do that.

    Meanwhile you really should switch away from password-based SSH logins. Use keys. If you're doing that already then you haven't disabled password logins.
    Last edited by requinix; September 17th, 2017 at 02:33 PM.
  8. #5
  9. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2016
    Location
    Lakewood, WA
    Posts
    207
    Rep Power
    17
    Originally Posted by requinix
    Meanwhile you really should switch away from password-based SSH logins. Use keys. If you're doing that already then you haven't disabled password logins.
    Excellent, I will do it today.

    [edit]
    Yes, I made the keys wjen I set up the server, didn't edit the ssh conf file to do this. Done.
    Last edited by Arty Zifferelli; September 17th, 2017 at 06:44 PM.

IMN logo majestic logo threadwatch logo seochat tools logo