Hi -
I am seeing odd behavior in my logs. I am seeing logins via sshd or local network at odd hours. I am seeing logins for clearconsole that i am not sure about. Neither Intrusion Detection or Intrusion Prevention flagged anything or logged anything.
I have failed logins from a local computer with unknown username(s) and prtocols. See snip below.
I also have logins and outs at odd times - 3AM, 5AM.
I am trying to look at my logs to coorelate the IP's of where these came from but i can not tell yet what/where/when.
What I am seeing is a couple minutes after other user connects via VPN and logs into workstation, named cad1 at 10.1.10.33 then there is an attempted root login via sshd, or in the case of this morning, those failed logins from the PC directly.
ssh server was configured to not connect to external networks - " Information The app is installed, but the firewall is not allowing connections from external networks. "
The user did not make legitmate attempts to login to the clearOS box.
Are there more efficient tools to filter the logs and make them more huamn readable?
Am I correct to assume that I have an intrusion?
I am seeing odd behavior in my logs. I am seeing logins via sshd or local network at odd hours. I am seeing logins for clearconsole that i am not sure about. Neither Intrusion Detection or Intrusion Prevention flagged anything or logged anything.
I have failed logins from a local computer with unknown username(s) and prtocols. See snip below.
I also have logins and outs at odd times - 3AM, 5AM.
I am trying to look at my logs to coorelate the IP's of where these came from but i can not tell yet what/where/when.
What I am seeing is a couple minutes after other user connects via VPN and logs into workstation, named cad1 at 10.1.10.33 then there is an attempted root login via sshd, or in the case of this morning, those failed logins from the PC directly.
ssh server was configured to not connect to external networks - " Information The app is installed, but the firewall is not allowing connections from external networks. "
The user did not make legitmate attempts to login to the clearOS box.
Are there more efficient tools to filter the logs and make them more huamn readable?
Am I correct to assume that I have an intrusion?
Share this post:
Responses (1)
-
Accepted Answer
To examine logs I use WinSCP, but use of "grep" can help narrow down on a problem. Logs are generally somewhere under /var/log, so you you could do something like:
and you will see all the rubbish coming in if you have your firewall open.grep sshd /var/log/secure
For the firewall, what do you get from:
and please put the results between "code" tags.iptables -nvL INPUT
I am not seeing the correlation between the OpenVPN log and the other events. Check the secure log. I would be concerned about connection attempts from 10.1.10.33 but it could be that the workstation has been compromised or something at the other end of the VPN. Check your logs. If there are successful ssh connections which should not be there, then be worried. At a minimum change your ssh password, but then you will also need to check that whoever connected has not left a backdoor open.
You could turn off password access and just use ssh keys - https://documentation.clearos.com/content:en_us:kb_7_securing_ssh.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »