Results 1 to 2 of 2
  1. #1
    Untanglit
    Join Date
    Jul 2017
    Posts
    22

    Default PAM 2 more authentication failures auth.log

    Hello!

    I got this in auth.log :

    Nov 5 17:17:01 watchguard CRON[32387]: pam_unix(cron:session): session opened for user root by (uid=0)
    Nov 5 17:17:01 watchguard CRON[32387]: pam_unix(cron:session): session closed for user root
    Nov 5 17:17:56 watchguard sshd[32662]: rexec line 19: Deprecated option KeyRegenerationInterval
    Nov 5 17:17:56 watchguard sshd[32662]: rexec line 20: Deprecated option ServerKeyBits
    Nov 5 17:17:56 watchguard sshd[32662]: rexec line 31: Deprecated option RSAAuthentication
    Nov 5 17:17:56 watchguard sshd[32662]: rexec line 38: Deprecated option RhostsRSAAuthentication
    Nov 5 17:17:58 watchguard sshd[32662]: reprocess config line 31: Deprecated option RSAAuthentication
    Nov 5 17:17:58 watchguard sshd[32662]: reprocess config line 38: Deprecated option RhostsRSAAuthentication
    Nov 5 17:17:58 watchguard sshd[32662]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.44 user=root
    Nov 5 17:18:00 watchguard sshd[32662]: Failed password for root from 116.31.116.44 port 21337 ssh2
    Nov 5 17:18:02 watchguard sshd[32662]: Failed password for root from 116.31.116.44 port 21337 ssh2
    Nov 5 17:18:05 watchguard sshd[32662]: Failed password for root from 116.31.116.44 port 21337 ssh2
    Nov 5 17:18:05 watchguard sshd[32662]: Received disconnect from 116.31.116.44 port 21337:11: [preauth]
    Nov 5 17:18:05 watchguard sshd[32662]: Disconnected from 116.31.116.44 port 21337 [preauth]
    Nov 5 17:18:05 watchguard sshd[32662]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.44 user=root

    Looks like someone tries to get in!

    The IP is from China!

    Is this an attempt that should be stopped in Intrusion Prevention?

    I have tried to block this in firewall by using a rule blocking Source Address 116.41.116.44 but still get lines in log

    What shall I do?

    Best regards
    nautic

  2. #2
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,729

    Default

    If you don't want SSH attempts, don't open SSH. Set your access rules back to the default.

    Alternatively, just set a decent password.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2