More log files [solved]

[riseringseeker]

I posted here before asking for help in determining whether or not I was having security breechs. I was told (off the board) that the entries I was concerned about was not a big deal. OK, I know I am a little paranoid, but am new to being open to ssh connections from the `net, and being paranoid doesn't mean their not really after you!

 

Alright, I use MCC to set up the ssh server, and had specifically set it to not allow root logins. Yesterday, was double checking how I had it set up and to my surprise I found that root login somehow changed to "Yes - with password". OK, changed it back and also put "root" in deny users file. Today, checked again, and the file had been changed to allow root login - yes.

 

I also have line after line of this type of entry:

 

Nov 8 05:48:05 localhost sshd[16874]: Connection from 208.67.248.222 port 47297

Nov 8 05:48:05 localhost sshd[16874]: reverse mapping checking getaddrinfo for mail.reflx.net failed - POSSIBLE BREAK-IN ATTEMPT!

Nov 8 05:48:05 localhost sshd[16874]: User root from 208.67.248.222 not allowed because listed in DenyUsers

Nov 8 05:48:05 localhost sshd[16874]: error: Could not get shadow information for NOUSER

Nov 8 05:48:05 localhost sshd[16874]: Failed password for invalid user root from 208.67.248.222 port 47297 ssh2

Nov 8 05:48:05 localhost sshd[16874]: Excess permission or bad ownership on file /var/log/btmp

Nov 8 05:48:06 localhost sshd[16876]: Connection from 208.67.248.222 port 47363

Nov 8 05:48:06 localhost sshd[16876]: reverse mapping checking getaddrinfo for mail.reflx.net failed - POSSIBLE BREAK-IN ATTEMPT!

Nov 8 05:48:06 localhost sshd[16876]: User root from 208.67.248.222 not allowed because listed in DenyUsers

 

So, should I be worried, and/or what, if anything should I do?

 

I have security set to "high", and only have port 22 open to the `net. I know one of the things I should do is put ssh to some oddball port, but other than that?

[tyme]

I would turn off ssh for a while. And you might even consider a re-install, has it's possible a hacker gained access - or it could just be someone attempting root access but failing, and the root allow login is getting reset - but if it's also in deny users, then you actually have it protected twice.

 

As far as who's attacking you...I would contact colomart. A whois revealed that this is a hosting company. It's possible someone is staging attacks from one of their hosted, shared, or co-location servers. They would want to know about this. Provide to them as much detail and logs as you can (obviously without being repetitive) - try and give a range of time that the attacks were occurring during; in case there's any consistency to that. Also be sure to provide at least an example of any logs that you have, check your ssh logs, check your sys logs for the same periods of time if you can - that sort of thing.

[Gowator]

I agree with tyme, its a fact of life unfortunately....

 

I get hundreds, sometimes tens of thousands per day...

Watch out for dictionary attacks.... I now have my public facing username extremely long... its a pain to type but its more of a passphrase ... and the password is equally long.

Most dictionary attacks start aa, ab, ac etc. I had a two letter user who was cracked ... it only takes 26^26 combinations to find that username and these attacks can come from hundreds of places at once when they hijack enough hosts...so for instance you can be on aa,ab from Bulgaria and ja,jb from Poland etc.

 

Turn off ssh1

Protocol 2

try a different port for a week .... :D works wonders....

 

try using denyhosts (a package)... it automatically bans IP's for X number of failed logins.by adding to your hosts.deny.. and mails you.

My hosts.deny has well over 5000 entries....

 

NEVER EVER post a username on a board.... I get thousands of attempted logins with gowator as the username... where do they get it? Well my sig has my static IP address and I guess they figure I must have a gowator user? It makes it twice as easy if they know a valid user name ..then they can concentrate on the password... and with 30,000 attempts a day ....???

 

Example username password....

g0wat0rsu3k3eggs4dinn3r/m0nk3ys3atp3anuts4fun

This way they have 23^36 combinations for the username.... but I doubt they try past x chars.... apart from dictionary words .. each run takes exponentially longer and though they are not from their own computer they will soon give up.... what they want is another drone host to attack someone else..

[riseringseeker]

I agree with tyme, its a fact of life unfortunately....

 

Reinstall? The entire system, or just ssh server?

 

I get hundreds, sometimes tens of thousands per day...

 

I seem to get merely scores. Most of them from India, China, Korea, etc. This is the first I have noted from within the US.

 

Watch out for dictionary attacks.... I now have my public facing username extremely long... its a pain to type but its more of a passphrase ... and the password is equally long.

Most dictionary attacks start aa, ab, ac etc. I had a two letter user who was cracked ... it only takes 26^26 combinations to find that username and these attacks can come from hundreds of places at once when they hijack enough hosts...so for instance you can be on aa,ab from Bulgaria and ja,jb from Poland etc.

 

I have not (yet) seen dictionary attacks, but have instead seen attacks with a long list of names tried in largely alphabetical order. I would guess that they just loaded a list from a "baby names" book into the script they are running, so with a long enough list, and user names that are real peoples names, they will eventually hit one of them - not that I have many users, this is after just my home system with very few users anyway.

 

I have some user names in "allow", and several entries in "deny". If I understand this correctly, being not listed in "allow", or specifically listed in "deny" will not let any other user name in, so in a way, it's a double protection.

 

Turn off ssh1

 

It is.

 

Protocol 2

 

Tis set up here with a 2048 rsa key. At the moment, I still have password entry allowed, but that is for the benefit of the one "test user", a friend who has already helped with tightening security here. I plan on turning that off prior to leaving for my next trip so without a rsa public key, should not be able to get on at all.

 

try a different port for a week .... :D works wonders....

 

Got a range I should pick from?

 

try using denyhosts (a package)... it automatically bans IP's for X number of failed logins.by adding to your hosts.deny.. and mails you.

My hosts.deny has well over 5000 entries....

 

I will give that a try. It also occurs to me that perhaps I should turn off pinging.

 

NEVER EVER post a username on a board.... I get thousands of attempted logins with gowator as the username... where do they get it? Well my sig has my static IP address and I guess they figure I must have a gowator user? It makes it twice as easy if they know a valid user name ..then they can concentrate on the password... and with 30,000 attempts a day ....???

 

I have not posted a user name that I am aware of. Also, the first part of my domain is not "localhost" for that matter.

 

Example username password....

g0wat0rsu3k3eggs4dinn3r/m0nk3ys3atp3anuts4fun

This way they have 23^36 combinations for the username.... but I doubt they try past x chars.... apart from dictionary words .. each run takes exponentially longer and though they are not from their own computer they will soon give up.... what they want is another drone host to attack someone else..

 

That would be a major pain, but might be worth instigating.

[Gowator]

I agree with tyme, its a fact of life unfortunately....

 

Reinstall? The entire system, or just ssh server?

Well it depends on how paranoid ?

Try a live cd with a check rootkit (kanotix works) ... obviously the ultimate is reinstall from scratch ...

not always a bad thing if you have played about with stuff... then decided to harden security ...I just reinstalled debian stable on my server because I had largely played about a lot and lost track ... just odd changing permissions here and there ... usually stuff I mean to be temporary and then forget ...:D

 

I get hundreds, sometimes tens of thousands per day...

 

I seem to get merely scores. Most of them from India, China, Korea, etc. This is the first I have noted from within the US.

Yeah hosting websites does that .... but I think also its sorta random... groups of script kiddies decide to have a go at a host and I guess its a competition... they already have control of hundreds and use these to attack you.

 

 

Watch out for dictionary attacks.... I now have my public facing username extremely long... its a pain to type but its more of a passphrase ... and the password is equally long.

Most dictionary attacks start aa, ab, ac etc. I had a two letter user who was cracked ... it only takes 26^26 combinations to find that username and these attacks can come from hundreds of places at once when they hijack enough hosts...so for instance you can be on aa,ab from Bulgaria and ja,jb from Poland etc.

 

I have not (yet) seen dictionary attacks, but have instead seen attacks with a long list of names tried in largely alphabetical order. I would guess that they just loaded a list from a "baby names" book into the script they are running, so with a long enough list, and user names that are real peoples names, they will eventually hit one of them - not that I have many users, this is after just my home system with very few users anyway.

That was how it started for me :D I dumped the logs a while ago they were massive... but they started off like you say then progressed...

I have some user names in "allow", and several entries in "deny". If I understand this correctly, being not listed in "allow", or specifically listed in "deny" will not let any other user name in, so in a way, it's a double protection.

Yep I have ALL users in deny except one.... really one is all you need unless your using nxserver etc. and want GUI desktops etc. over the internet.

 

Tis set up here with a 2048 rsa key. At the moment, I still have password entry allowed, but that is for the benefit of the one "test user", a friend who has already helped with tightening security here. I plan on turning that off prior to leaving for my next trip so without a rsa public key, should not be able to get on at all.

Well just deny all users except that and make the username password long... if its your buddies old address or something its amazing how fast you get to typing it...

 

try a different port for a week .... :D works wonders....

 

Got a range I should pick from?

No expert here but any your not using.... it doesn't really matter to ssh

nmap -sT hostname

 

see

http://www.redhat.com/docs/manuals/linux/R...rver-ports.html

[tyme]

As far as ports, use something over 2000 just to make sure you don't encroach on any other necessary ports. And don't use 31337. Here's a list of well-known ports, you'll want to choose one not on that list.

 

As far as the reinstall, as Gowator said that depends on your paranoid level. If you think someone actually succeeded in hacking you, then reinstalling is easier than hunting down what the hacker did in case he left himself a backdoor/trojan/zombie program. Checking it with a rootkit program as G suggests is definitely a good first step. I'd also look through a ps -aux for any oddball processes. Also, run netstat -a while logged in and look for strange services that are attached to odd ports.

[riseringseeker]

As far as ports, use something over 2000 just to make sure you don't encroach on any other necessary ports. And don't use 31337. Here's a list of well-known ports, you'll want to choose one not on that list.

 

As far as the reinstall, as Gowator said that depends on your paranoid level. If you think someone actually succeeded in hacking you, then reinstalling is easier than hunting down what the hacker did in case he left himself a backdoor/trojan/zombie program. Checking it with a rootkit program as G suggests is definitely a good first step. I'd also look through a ps -aux for any oddball processes. Also, run netstat -a while logged in and look for strange services that are attached to odd ports.

 

Thanks, Tyme. Of course it would help in I knew what netstat and ps normally showed, that way I might be in a better position to see if there is anything unusual.

 

Apparently I am going to have to ask for help in installing denyhosts though. I keep being told it needs python 2.4 (my system shows 2.4.3), or, in the case of the tarball, says:

 

error: invalid Python installation: unable to open /usr/lib/python2.4/config/Makefile (No such file or directory)

[ianw1974]

You can check, and always symlink python2.4 to the 2.43 installation if it doesn't exist.

[tyme]

Of course it would help in I knew what netstat and ps normally showed, that way I might be in a better position to see if there is anything unusual.

You could post the outputs here, and I could take a look through them.

[riseringseeker]

Of course it would help in I knew what netstat and ps normally showed, that way I might be in a better position to see if there is anything unusual.

You could post the outputs here, and I could take a look through them.

 

OK, here's netstat -a, usernames and domains edited, otherwise a cut and paste.

 

#netstat -a

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State

tcp 0 0 localhost.somedns.org:2208 *:* LISTEN

tcp 0 0 *:nfs *:* LISTEN

tcp 0 0 localhost.somedns.or:46660 *:* LISTEN

tcp 0 0 *:swat *:* LISTEN

tcp 0 0 *:nut *:* LISTEN

tcp 0 0 192.168.2.2:9222 *:* LISTEN

tcp 0 0 localhost.somedns.or:10026 *:* LISTEN

tcp 0 0 *:netbios-ssn *:* LISTEN

tcp 0 0 *:943 *:* LISTEN

tcp 0 0 *:sunrpc *:* LISTEN

tcp 0 0 *:x11 *:* LISTEN

tcp 0 0 *:57009 *:* LISTEN

tcp 0 0 *:ipp *:* LISTEN

tcp 0 0 localhost.somedns.org:smtp *:* LISTEN

tcp 0 0 *:7741 *:* LISTEN

tcp 0 0 *:microsoft-ds *:* LISTEN

tcp 0 0 *:39741 *:* LISTEN

tcp 0 0 *:40511 *:* LISTEN

tcp 0 0 192.168.2.2:52245 72.14.223.99:http ESTABLISHED

tcp 0 0 192.168.2.2:53179 a-70-183-191-115.deplo:http ESTABLISHED

tcp 0 0 192.168.2.2:43745 64.233.163.104:http ESTABLISHED

tcp 0 0 192.168.2.2:48512 209.62.188.20:http ESTABLISHED

tcp 0 0 192.168.2.2:48292 70.167.151.135:http ESTABLISHED

tcp 0 0 192.168.2.2:48279 70.167.151.135:http ESTABLISHED

tcp 0 0 192.168.2.2:54347 a-70-183-191-82.deploy:http ESTABLISHED

tcp 0 0 192.168.2.2:59917 a-70-183-191-75.deplo:https ESTABLISHED

tcp 0 0 192.168.2.2:59916 a-70-183-191-75.deplo:https ESTABLISHED

tcp 0 0 *:x11 *:* LISTEN

tcp 0 0 *:ipp *:* LISTEN

udp 0 0 *:32768 *:*

udp 0 0 *:nfs *:*

udp 0 0 *:32770 *:*

udp 0 0 *:32771 *:*

udp 0 0 192.168.2.2:netbios-ns *:*

udp 0 0 *:netbios-ns *:*

udp 0 0 192.168.2.2:netbios-dgm *:*

udp 0 0 *:netbios-dgm *:*

udp 0 0 *:940 *:*

udp 0 0 *:7741 *:*

udp 0 0 *:730 *:*

udp 0 0 *:5353 *:*

udp 0 0 *:sunrpc *:*

udp 0 0 *:ipp *:*

udp 0 0 192.168.2.2:ntp *:*

udp 0 0 localhost.somedns.org:ntp *:*

udp 0 0 *:ntp *:*

udp 0 0 *:32769 *:*

udp 0 0 *:ntp *:*

raw 0 0 *:icmp *:* 7

Active UNIX domain sockets (servers and established)

Proto RefCnt Flags Type State I-Node Path

unix 2 [ ] DGRAM 5990 /var/spool/postfix/dev/log

unix 2 [ ACC ] STREAM LISTENING 15574 /home/<username>/tmp/ksocket-<username>/klauncherhlGBWb.slave-socket

unix 2 [ ACC ] STREAM LISTENING 10644 /var/run/xdmctl/dmctl-:0/socket

unix 2 [ ACC ] STREAM LISTENING 15362 /tmp/ssh-PhfBmb5930/agent.5930

unix 2 [ ACC ] STREAM LISTENING 10839 /var/lib/clamav/clamd.socket

unix 2 [ ACC ] STREAM LISTENING 9709 /var/run/avahi-daemon/socket

unix 2 [ ACC ] STREAM LISTENING 25645 /home/<username>/tmp/orbit-<username>/linc-19ee-0-18fe2f2a2f68f

unix 19 [ ] DGRAM 5908 /dev/log

unix 2 [ ACC ] STREAM LISTENING 15649 /tmp/.ICE-unix/6126

unix 2 [ ACC ] STREAM LISTENING 15393 /tmp/gpg-gvSQpj/S.gpg-agent

unix 2 [ ACC ] STREAM LISTENING 15542 /home/<username>/tmp/ksocket-<username>/kdeinit__0

unix 2 [ ACC ] STREAM LISTENING 5868 /var/run/dbus/system_dbus_socket

unix 2 [ ] DGRAM 1220 @/org/kernel/udev/udevd

unix 2 [ ACC ] STREAM LISTENING 15544 /home/<username>/tmp/ksocket-<username>/kdeinit-:0

unix 2 [ ACC ] STREAM LISTENING 10633 /tmp/.X11-unix/X0

unix 2 [ ACC ] STREAM LISTENING 15466 @/tmp/dbus-w410DBhRHb

unix 2 [ ACC ] STREAM LISTENING 11187 public/cleanup

unix 2 [ ACC ] STREAM LISTENING 9871 /tmp/.font-unix/fs-1

unix 2 [ ] DGRAM 6140 @/org/freedesktop/hal/udev_event

unix 2 [ ACC ] STREAM LISTENING 11208 private/tlsmgr

unix 2 [ ACC ] STREAM LISTENING 11213 private/rewrite

unix 2 [ ACC ] STREAM LISTENING 11217 private/bounce

unix 2 [ ACC ] STREAM LISTENING 11221 private/defer

unix 2 [ ACC ] STREAM LISTENING 11225 private/trace

unix 2 [ ACC ] STREAM LISTENING 6131 @/tmp/hald-local/dbus-Bv6qUmcigL

unix 2 [ ACC ] STREAM LISTENING 11229 private/verify

unix 2 [ ACC ] STREAM LISTENING 11233 public/flush

unix 2 [ ACC ] STREAM LISTENING 11237 private/proxymap

unix 2 [ ACC ] STREAM LISTENING 11241 private/smtp

unix 2 [ ACC ] STREAM LISTENING 11245 private/relay

unix 2 [ ACC ] STREAM LISTENING 11249 public/showq

unix 2 [ ACC ] STREAM LISTENING 11253 private/error

unix 2 [ ACC ] STREAM LISTENING 11265 private/discard

unix 2 [ ACC ] STREAM LISTENING 11269 private/local

unix 2 [ ACC ] STREAM LISTENING 5904 /var/run/acpid.socket

unix 2 [ ACC ] STREAM LISTENING 11273 private/virtual

unix 2 [ ACC ] STREAM LISTENING 11277 private/lmtp

unix 2 [ ACC ] STREAM LISTENING 11281 private/anvil

unix 2 [ ACC ] STREAM LISTENING 6132 @/tmp/hald-runner/dbus-Lozc6QMT1S

unix 2 [ ACC ] STREAM LISTENING 11286 private/scache

unix 2 [ ACC ] STREAM LISTENING 11290 private/maildrop

unix 2 [ ACC ] STREAM LISTENING 11294 private/cyrus-deliver

unix 2 [ ACC ] STREAM LISTENING 11306 private/cyrus

unix 2 [ ACC ] STREAM LISTENING 11310 private/cyrus-chroot

unix 2 [ ACC ] STREAM LISTENING 11314 private/cyrus-inet

unix 2 [ ACC ] STREAM LISTENING 11318 private/uucp

unix 2 [ ACC ] STREAM LISTENING 11326 private/lmtp-filter

unix 2 [ ACC ] STREAM LISTENING 11330 private/smtp-filter

unix 2 [ ACC ] STREAM LISTENING 15549 /tmp/.ICE-unix/dcop6113-1163164333

unix 2 [ ACC ] STREAM LISTENING 25654 /home/<username>/tmp/orbit-<username>/linc-19ea-0-4191b5eb327e0

unix 2 [ ACC ] STREAM LISTENING 15803 /home/<username>/tmp/ksocket-<username>/localhost.somedns.org-17fb-45547ab8

unix 2 [ ACC ] STREAM LISTENING 10034 /var/run/xdmctl/dmctl/socket

unix 2 [ ACC ] STREAM LISTENING 15599 @/tmp/fam-<username>-

unix 2 [ ] DGRAM 25990

unix 3 [ ] STREAM CONNECTED 25861 /tmp/.ICE-unix/dcop6113-1163164333

unix 3 [ ] STREAM CONNECTED 25860

unix 3 [ ] STREAM CONNECTED 25855 /tmp/.ICE-unix/6126

unix 3 [ ] STREAM CONNECTED 25854

unix 3 [ ] STREAM CONNECTED 25853 /tmp/.X11-unix/X0

unix 3 [ ] STREAM CONNECTED 25852

unix 5 [ ] STREAM CONNECTED 25700 /tmp/.X11-unix/X0

unix 3 [ ] STREAM CONNECTED 25699

unix 3 [ ] STREAM CONNECTED 25658 /home/<username>/tmp/orbit-<username>/linc-19ea-0-4191b5eb327e0

unix 3 [ ] STREAM CONNECTED 25657

unix 3 [ ] STREAM CONNECTED 25656 /home/<username>/tmp/orbit-<username>/linc-19ee-0-18fe2f2a2f68f

unix 3 [ ] STREAM CONNECTED 25653

unix 2 [ ] DGRAM 25641

unix 3 [ ] STREAM CONNECTED 25627 /tmp/.X11-unix/X0

unix 3 [ ] STREAM CONNECTED 25626

unix 2 [ ] DGRAM 23481

unix 2 [ ] DGRAM 20053

unix 3 [ ] STREAM CONNECTED 16759 /home/<username>/tmp/ksocket-<username>/klauncherhlGBWb.slave-socket

unix 3 [ ] STREAM CONNECTED 16756

unix 3 [ ] STREAM CONNECTED 16087 /var/run/dbus/system_dbus_socket

unix 3 [ ] STREAM CONNECTED 16086

unix 3 [ ] STREAM CONNECTED 15966 /tmp/.X11-unix/X0

unix 3 [ ] STREAM CONNECTED 15965

unix 3 [ ] STREAM CONNECTED 15957 /tmp/.ICE-unix/6126

unix 3 [ ] STREAM CONNECTED 15956

unix 3 [ ] STREAM CONNECTED 15953 /tmp/.X11-unix/X0

unix 3 [ ] STREAM CONNECTED 15952

unix 3 [ ] STREAM CONNECTED 15951 /tmp/.ICE-unix/dcop6113-1163164333

unix 3 [ ] STREAM CONNECTED 15950

unix 3 [ ] STREAM CONNECTED 15943 /home/<username>/tmp/ksocket-<username>/localhost.somedns.org-17fb-45547ab8

unix 3 [ ] STREAM CONNECTED 15942

unix 3 [ ] STREAM CONNECTED 15916 /tmp/.X11-unix/X0

unix 3 [ ] STREAM CONNECTED 15915

unix 3 [ ] STREAM CONNECTED 15884 /tmp/.ICE-unix/6126

unix 3 [ ] STREAM CONNECTED 15877

unix 3 [ ] STREAM CONNECTED 15876 /tmp/.X11-unix/X0

unix 3 [ ] STREAM CONNECTED 15875

unix 3 [ ] STREAM CONNECTED 15872 /tmp/.ICE-unix/dcop6113-1163164333

unix 3 [ ] STREAM CONNECTED 15871

unix 3 [ ] STREAM CONNECTED 15883 /tmp/.ICE-unix/6126

unix 3 [ ] STREAM CONNECTED 15865

unix 3 [ ] STREAM CONNECTED 15850 /tmp/.X11-unix/X0

unix 3 [ ] STREAM CONNECTED 15849

unix 3 [ ] STREAM CONNECTED 15848 /tmp/.ICE-unix/dcop6113-1163164333

unix 3 [ ] STREAM CONNECTED 15847

unix 3 [ ] STREAM CONNECTED 15882 /tmp/.ICE-unix/6126

unix 3 [ ] STREAM CONNECTED 15831

unix 3 [ ] STREAM CONNECTED 15827 /tmp/.X11-unix/X0

unix 3 [ ] STREAM CONNECTED 15826

unix 3 [ ] STREAM CONNECTED 15823 /tmp/.ICE-unix/dcop6113-1163164333

unix 3 [ ] STREAM CONNECTED 15822

unix 2 [ ] DGRAM 15820

unix 3 [ ] STREAM CONNECTED 15794 /tmp/.ICE-unix/6126

unix 3 [ ] STREAM CONNECTED 15793

unix 3 [ ] STREAM CONNECTED 15792 /tmp/.X11-unix/X0

unix 3 [ ] STREAM CONNECTED 15791

unix 3 [ ] STREAM CONNECTED 15790 /tmp/.ICE-unix/dcop6113-1163164333

unix 3 [ ] STREAM CONNECTED 15789

unix 3 [ ] STREAM CONNECTED 15773 /tmp/.X11-unix/X0

unix 3 [ ] STREAM CONNECTED 15772

unix 3 [ ] STREAM CONNECTED 15760 /tmp/.ICE-unix/dcop6113-1163164333

unix 3 [ ] STREAM CONNECTED 15759

unix 3 [ ] STREAM CONNECTED 15752 @/tmp/fam-<username>-

unix 3 [ ] STREAM CONNECTED 15751

unix 3 [ ] STREAM CONNECTED 15727 /tmp/.ICE-unix/6126

unix 3 [ ] STREAM CONNECTED 15726

unix 3 [ ] STREAM CONNECTED 15712 /tmp/.X11-unix/X0

unix 3 [ ] STREAM CONNECTED 15711

unix 3 [ ] STREAM CONNECTED 15701 /tmp/.ICE-unix/dcop6113-1163164333

unix 3 [ ] STREAM CONNECTED 15700

unix 3 [ ] STREAM CONNECTED 15689 @/tmp/fam-<username>-

unix 3 [ ] STREAM CONNECTED 15688

unix 3 [ ] STREAM CONNECTED 15678 /tmp/.ICE-unix/6126

unix 3 [ ] STREAM CONNECTED 15677

unix 3 [ ] STREAM CONNECTED 15674 /tmp/.X11-unix/X0

unix 3 [ ] STREAM CONNECTED 15673

unix 3 [ ] STREAM CONNECTED 15670 /tmp/.ICE-unix/dcop6113-1163164333

unix 3 [ ] STREAM CONNECTED 15669

unix 3 [ ] STREAM CONNECTED 15664 /tmp/.ICE-unix/6126

unix 3 [ ] STREAM CONNECTED 15663

unix 3 [ ] STREAM CONNECTED 15662 /tmp/.ICE-unix/dcop6113-1163164333

unix 3 [ ] STREAM CONNECTED 15661

unix 3 [ ] STREAM CONNECTED 15656 /tmp/.ICE-unix/6126

unix 3 [ ] STREAM CONNECTED 15655

unix 3 [ ] STREAM CONNECTED 15654 /tmp/.X11-unix/X0

unix 3 [ ] STREAM CONNECTED 15653

unix 3 [ ] STREAM CONNECTED 15648 /tmp/.ICE-unix/dcop6113-1163164333

unix 3 [ ] STREAM CONNECTED 15647

unix 3 [ ] STREAM CONNECTED 15642 /tmp/.X11-unix/X0

unix 3 [ ] STREAM CONNECTED 15641

unix 3 [ ] STREAM CONNECTED 15635 /home/<username>/tmp/ksocket-<username>/kdeinit__0

unix 3 [ ] STREAM CONNECTED 15634

unix 3 [ ] STREAM CONNECTED 15623 /var/run/dbus/system_dbus_socket

unix 3 [ ] STREAM CONNECTED 15622

unix 3 [ ] STREAM CONNECTED 15604 @/tmp/fam-<username>-

unix 3 [ ] STREAM CONNECTED 15600

unix 3 [ ] STREAM CONNECTED 15587 /tmp/.X11-unix/X0

unix 3 [ ] STREAM CONNECTED 15586

unix 3 [ ] STREAM CONNECTED 15585 /tmp/.ICE-unix/dcop6113-1163164333

unix 3 [ ] STREAM CONNECTED 15584

unix 3 [ ] STREAM CONNECTED 15577 /tmp/.X11-unix/X0

unix 3 [ ] STREAM CONNECTED 15576

unix 3 [ ] STREAM CONNECTED 15568 /tmp/.ICE-unix/dcop6113-1163164333

unix 3 [ ] STREAM CONNECTED 15567

unix 3 [ ] STREAM CONNECTED 15565

unix 3 [ ] STREAM CONNECTED 15564

unix 3 [ ] STREAM CONNECTED 15509 /var/run/dbus/system_dbus_socket

unix 3 [ ] STREAM CONNECTED 15508

unix 3 [ ] STREAM CONNECTED 15507 /tmp/.X11-unix/X0

unix 3 [ ] STREAM CONNECTED 15506

unix 3 [ ] STREAM CONNECTED 15482 /tmp/.X11-unix/X0

unix 3 [ ] STREAM CONNECTED 15481

unix 3 [ ] STREAM CONNECTED 15470 /tmp/.X11-unix/X0

unix 3 [ ] STREAM CONNECTED 15469

unix 3 [ ] STREAM CONNECTED 15468

unix 3 [ ] STREAM CONNECTED 15467

unix 2 [ ] DGRAM 15219

unix 2 [ ] DGRAM 14730

unix 3 [ ] STREAM CONNECTED 11575 /tmp/.font-unix/fs-1

unix 3 [ ] STREAM CONNECTED 11574

unix 2 [ ] DGRAM 11368

unix 3 [ ] STREAM CONNECTED 11333

unix 3 [ ] STREAM CONNECTED 11332

unix 3 [ ] STREAM CONNECTED 11329

unix 3 [ ] STREAM CONNECTED 11328

unix 3 [ ] STREAM CONNECTED 11325

unix 3 [ ] STREAM CONNECTED 11324

unix 3 [ ] STREAM CONNECTED 11321

unix 3 [ ] STREAM CONNECTED 11320

unix 3 [ ] STREAM CONNECTED 11317

unix 3 [ ] STREAM CONNECTED 11316

unix 3 [ ] STREAM CONNECTED 11313

unix 3 [ ] STREAM CONNECTED 11312

unix 3 [ ] STREAM CONNECTED 11309

unix 3 [ ] STREAM CONNECTED 11308

unix 3 [ ] STREAM CONNECTED 11305

unix 3 [ ] STREAM CONNECTED 11304

unix 3 [ ] STREAM CONNECTED 11293

unix 3 [ ] STREAM CONNECTED 11292

unix 3 [ ] STREAM CONNECTED 11289

unix 3 [ ] STREAM CONNECTED 11288

unix 3 [ ] STREAM CONNECTED 11285

unix 3 [ ] STREAM CONNECTED 11284

unix 3 [ ] STREAM CONNECTED 11280

unix 3 [ ] STREAM CONNECTED 11279

unix 3 [ ] STREAM CONNECTED 11276

unix 3 [ ] STREAM CONNECTED 11275

unix 3 [ ] STREAM CONNECTED 11272

unix 3 [ ] STREAM CONNECTED 11271

unix 3 [ ] STREAM CONNECTED 11268

unix 3 [ ] STREAM CONNECTED 11267

unix 3 [ ] STREAM CONNECTED 11264

unix 3 [ ] STREAM CONNECTED 11263

unix 3 [ ] STREAM CONNECTED 11252

unix 3 [ ] STREAM CONNECTED 11251

unix 3 [ ] STREAM CONNECTED 11248

unix 3 [ ] STREAM CONNECTED 11247

unix 3 [ ] STREAM CONNECTED 11244

unix 3 [ ] STREAM CONNECTED 11243

unix 3 [ ] STREAM CONNECTED 11240

unix 3 [ ] STREAM CONNECTED 11239

unix 3 [ ] STREAM CONNECTED 11236

unix 3 [ ] STREAM CONNECTED 11235

unix 3 [ ] STREAM CONNECTED 11232

unix 3 [ ] STREAM CONNECTED 11231

unix 3 [ ] STREAM CONNECTED 11228

unix 3 [ ] STREAM CONNECTED 11227

unix 3 [ ] STREAM CONNECTED 11224

unix 3 [ ] STREAM CONNECTED 11223

unix 3 [ ] STREAM CONNECTED 11220

unix 3 [ ] STREAM CONNECTED 11219

unix 3 [ ] STREAM CONNECTED 11216

unix 3 [ ] STREAM CONNECTED 11215

unix 3 [ ] STREAM CONNECTED 11212

unix 3 [ ] STREAM CONNECTED 11211

unix 3 [ ] STREAM CONNECTED 11207

unix 3 [ ] STREAM CONNECTED 11206

unix 3 [ ] STREAM CONNECTED 11190

unix 3 [ ] STREAM CONNECTED 11189

unix 3 [ ] STREAM CONNECTED 11186

unix 3 [ ] STREAM CONNECTED 11185

unix 3 [ ] STREAM CONNECTED 11153

unix 3 [ ] STREAM CONNECTED 11152

unix 2 [ ] DGRAM 11109

unix 3 [ ] STREAM CONNECTED 10676 /var/run/acpid.socket

unix 3 [ ] STREAM CONNECTED 10675

unix 7 [ ] STREAM CONNECTED 11580 /tmp/.X11-unix/X0

unix 3 [ ] STREAM CONNECTED 10674

unix 3 [ ] STREAM CONNECTED 9817

unix 4 [ ] STREAM CONNECTED 9816

unix 2 [ ] DGRAM 9798

unix 3 [ ] STREAM CONNECTED 9712 /var/run/dbus/system_dbus_socket

unix 3 [ ] STREAM CONNECTED 9711

unix 2 [ ] DGRAM 9670

unix 2 [ ] DGRAM 9663

unix 2 [ ] DGRAM 8625

unix 2 [ ] DGRAM 8389

unix 2 [ ] DGRAM 8232

unix 3 [ ] STREAM CONNECTED 7573 /var/run/dbus/system_dbus_socket

unix 3 [ ] STREAM CONNECTED 7572

unix 3 [ ] STREAM CONNECTED 7299 @/tmp/hald-local/dbus-Bv6qUmcigL

unix 3 [ ] STREAM CONNECTED 7298

unix 3 [ ] STREAM CONNECTED 7239 @/tmp/hald-local/dbus-Bv6qUmcigL

unix 3 [ ] STREAM CONNECTED 7238

unix 3 [ ] STREAM CONNECTED 7184 @/tmp/hald-local/dbus-Bv6qUmcigL

unix 3 [ ] STREAM CONNECTED 7183

unix 3 [ ] STREAM CONNECTED 6842 @/tmp/hald-local/dbus-Bv6qUmcigL

unix 3 [ ] STREAM CONNECTED 6841

unix 3 [ ] STREAM CONNECTED 6819 /var/run/acpid.socket

unix 3 [ ] STREAM CONNECTED 6818

unix 3 [ ] STREAM CONNECTED 6813 @/tmp/hald-local/dbus-Bv6qUmcigL

unix 3 [ ] STREAM CONNECTED 6812

unix 3 [ ] STREAM CONNECTED 6135 @/tmp/hald-runner/dbus-Lozc6QMT1S

unix 3 [ ] STREAM CONNECTED 6134

unix 2 [ ] DGRAM 6083

unix 2 [ ] DGRAM 6022

unix 3 [ ] STREAM CONNECTED 6002 /var/run/dbus/system_dbus_socket

unix 3 [ ] STREAM CONNECTED 6001

unix 3 [ ] STREAM CONNECTED 5892

unix 3 [ ] STREAM CONNECTED 5891

 

ps aux

 

]# ps aux

USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND

root 1 0.0 0.1 1576 540 ? Ss 07:00 0:01 init [5]

root 2 0.0 0.0 0 0 ? S 07:00 0:00 [migration/0]

root 3 0.0 0.0 0 0 ? SN 07:00 0:00 [ksoftirqd/0]

root 4 0.0 0.0 0 0 ? S< 07:00 0:00 [events/0]

root 5 0.0 0.0 0 0 ? S< 07:00 0:00 [khelper]

root 6 0.0 0.0 0 0 ? S< 07:00 0:00 [kthread]

root 8 0.0 0.0 0 0 ? S< 07:00 0:00 [kblockd/0]

root 9 0.0 0.0 0 0 ? S< 07:00 0:00 [kacpid]

root 75 0.0 0.0 0 0 ? S< 07:00 0:00 [kseriod]

root 111 0.0 0.0 0 0 ? S 07:00 0:00 [pdflush]

root 112 0.0 0.0 0 0 ? S 07:00 0:00 [pdflush]

root 113 0.0 0.0 0 0 ? S 07:00 0:00 [kswapd0]

root 114 0.0 0.0 0 0 ? S< 07:00 0:00 [aio/0]

root 767 0.0 0.0 0 0 ? S< 07:00 0:00 [kpsmoused]

root 779 0.0 0.0 0 0 ? S< 07:00 0:00 [kjournald]

root 859 0.0 0.2 2272 1296 ? S<s 07:00 0:00 udevd -d

root 973 0.0 0.0 0 0 ? S< 07:00 0:00 [khubd]

root 1074 0.0 0.0 0 0 ? S< 07:00 0:00 [scsi_eh_0]

root 1076 0.0 0.0 0 0 ? S< 07:00 0:00 [usb-storage]

root 1313 0.0 0.0 0 0 ? S< 07:00 0:00 [kjournald]

root 1339 0.0 0.0 0 0 ? S< 07:00 0:00 [kjournald]

root 1801 0.0 0.1 1616 584 ? Ss 07:00 0:00 syslogd -m 0 -a /var/spool/postfix/dev/log

70 1980 0.0 0.2 2536 1048 ? Ss 07:00 0:00 dbus-daemon --system

root 1988 0.0 0.1 1564 520 ? Ss 07:00 0:00 /usr/sbin/acpid

root 2042 0.0 0.2 4948 1048 ? Ss 07:00 0:00 ./hpiod

root 2043 0.0 0.1 2112 616 ? Ss 07:00 0:00 /usr/sbin/mandi -d

root 2078 0.0 0.2 2312 1216 ? Ss 07:00 0:00 klogd -2

71 2108 0.0 1.4 9144 7432 ? Ss 07:00 0:01 hald

root 2109 0.0 0.2 3200 1188 ? S 07:00 0:00 hald-runner

71 2127 0.0 0.1 2176 864 ? S 07:00 0:00 /usr/lib/hald-addon-acpi

71 2134 0.0 0.1 2172 868 ? S 07:00 0:00 /usr/lib/hald-addon-keyboard

root 2377 0.0 0.1 2140 760 ? S 07:00 0:00 /usr/lib/hald-addon-storage

root 2404 0.0 0.1 2136 756 ? S 07:00 0:00 /usr/lib/hald-addon-storage

root 2429 0.0 0.1 2136 760 ? S 07:00 0:00 /usr/lib/hald-addon-storage

root 2486 0.0 0.9 10548 4848 ? S 07:00 0:00 python ./hpssd.py

root 2621 0.0 0.0 0 0 ? S< 07:00 0:00 [kgameportd]

root 2625 0.0 0.4 6316 2072 ? Ss 07:00 0:00 cupsd

root 2631 0.0 0.0 0 0 ? S< 07:00 0:00 [ac97/0]

root 2832 0.0 0.0 1592 436 ? Ss 07:00 0:00 /sbin/ifplugd -b -i eth0

ups 2978 0.0 0.0 1788 476 ? Ss 07:00 0:00 upsd -u ups

root 3065 0.0 0.1 2392 888 ? Ss 07:00 0:00 crond -p

daemon 3102 0.0 0.0 1696 360 ? Ss 07:00 0:00 /usr/sbin/atd

rpc 3304 0.0 0.1 1696 552 ? Ss 07:00 0:00 portmap

root 3401 0.0 0.1 2172 800 ? Ss 07:00 0:00 xinetd -stayalive -reuse -pidfile /var/run/xi

avahi 3475 0.0 0.3 2800 1540 ? Ss 07:00 0:00 avahi-daemon: running [<localhost>.local]

rpcuser 3522 0.0 0.1 1700 724 ? Ss 07:00 0:00 rpc.statd

root 3523 0.0 0.1 3772 740 ? Ss 07:00 0:00 rpc.idmapd

xfs 3556 0.0 0.6 4880 3180 ? Ss 07:00 0:01 xfs -port -1 -daemon -droppriv -user xfs

root 3610 0.0 0.1 2884 800 ? S 07:00 0:00 /usr/bin/kdm -nodaemon

root 3611 0.0 0.2 4628 1000 ? Ss 07:00 0:00 /usr/sbin/sshd

root 3660 0.5 4.2 28208 21400 tty7 Ss+ 07:01 1:24 /etc/X11/X -br -deferglyphs 16 :0 vt7 -auth /

root 3709 0.0 0.0 0 0 ? S< 07:01 0:00 [nfsd4]

root 3717 0.0 0.0 0 0 ? S 07:01 0:00 [nfsd]

root 3718 0.0 0.0 0 0 ? S 07:01 0:00 [nfsd]

root 3719 0.0 0.0 0 0 ? S 07:01 0:00 [nfsd]

root 3720 0.0 0.0 0 0 ? S 07:01 0:00 [nfsd]

root 3721 0.0 0.0 0 0 ? S 07:01 0:00 [nfsd]

root 3722 0.0 0.0 0 0 ? S 07:01 0:00 [nfsd]

root 3723 0.0 0.0 0 0 ? S 07:01 0:00 [nfsd]

root 3724 0.0 0.0 0 0 ? S 07:01 0:00 [nfsd]

root 3732 0.0 0.0 0 0 ? S 07:01 0:00 [lockd]

root 3737 0.0 0.0 0 0 ? S< 07:01 0:00 [rpciod/0]

root 3753 0.0 0.0 1748 280 ? Ss 07:01 0:00 rpc.mountd

ntp 3796 0.0 0.8 4292 4292 ? SLs 07:01 0:00 ntpd -A -u ntp:ntp -p /var/run/ntpd.pid

root 3835 0.0 0.5 11464 2848 ? Ss 07:01 0:00 smbd -D

root 3860 0.0 0.3 3608 1656 ? S 07:01 0:00 -:0

root 3883 0.0 0.3 6928 1556 ? Ss 07:01 0:00 nmbd -D

root 3914 0.0 0.2 11464 1384 ? S 07:01 0:00 smbd -D

clamav 3960 0.0 3.3 28516 16632 ? Ss 07:01 0:00 clamd -c /etc/clamd.conf

clamav 4019 0.0 0.2 4796 1360 ? Ss 07:01 0:00 /usr/bin/freshclam --config-file=/etc/freshcl

root 4128 0.0 0.3 4736 1556 ? Ss 07:01 0:00 /usr/lib/postfix/master

postfix 4203 0.0 0.3 4856 1724 ? S 07:01 0:00 qmgr -l -t fifo -u -c

root 5591 0.0 0.1 2708 880 ? Ss 07:01 0:00 /usr/bin/lisa -c /etc/lisarc

root 5675 0.0 0.0 1560 448 tty1 Ss+ 07:01 0:00 /sbin/mingetty tty1

root 5676 0.0 0.0 1560 452 tty2 Ss+ 07:01 0:00 /sbin/mingetty tty2

root 5677 0.0 0.0 1560 452 tty3 Ss+ 07:01 0:00 /sbin/mingetty tty3

root 5678 0.0 0.0 1560 452 tty4 Ss+ 07:01 0:00 /sbin/mingetty tty4

root 5679 0.0 0.0 1560 452 tty5 Ss+ 07:01 0:00 /sbin/mingetty tty5

root 5680 0.0 0.0 1560 452 tty6 Ss+ 07:01 0:00 /sbin/mingetty tty6

<user> 5874 0.0 0.2 3944 1488 ? Ss 07:12 0:00 /bin/sh /usr/bin/startkde

<user> 5931 0.0 0.1 4232 956 ? Ss 07:12 0:00 ssh-agent

<user> 5953 0.0 0.0 2284 448 ? Ss 07:12 0:00 gpg-agent --daemon

<user> 6043 0.0 0.1 2704 648 ? S 07:12 0:00 /usr/bin/dbus-launch --exit-with-session --sh

<user> 6044 0.0 0.0 2424 484 ? Ss 07:12 0:00 /usr/bin/dbus-daemon --fork --print-pid 9 --p

<user> 6055 0.0 0.1 3340 828 ? Ss 07:12 0:00 /usr/bin/imwheel -k --rc /etc/X11/imwheel/imw

<user> 6085 0.0 0.5 8328 2760 ? Ss 07:12 0:00 s2u --daemon=yes --debug

<user> 6110 0.0 1.4 26680 7404 ? Ss 07:12 0:00 kdeinit Running...

<user> 6113 0.0 0.5 25940 2632 ? S 07:12 0:00 dcopserver [kdeinit] --nosid

<user> 6115 0.0 1.6 27972 8208 ? S 07:12 0:00 klauncher [kdeinit] --new-startup

<user> 6117 0.0 2.8 34288 14412 ? S 07:12 0:01 kded [kdeinit] --new-startup

<user> 6119 0.0 0.3 2824 1552 ? S 07:12 0:00 /usr/lib/gam_server

<user> 6124 0.0 0.0 1548 356 ? S 07:12 0:00 kwrapper ksmserver

<user> 6126 0.0 2.0 28044 10380 ? S 07:12 0:00 ksmserver [kdeinit]

<user> 6127 0.0 2.6 30176 12992 ? S 07:12 0:01 kwin [kdeinit]

<user> 6129 0.0 3.9 39600 19668 ? S 07:12 0:01 kdesktop [kdeinit]

<user> 6132 0.0 3.3 35356 16788 ? S 07:12 0:01 kicker [kdeinit]

<user> 6133 0.0 1.4 26792 7176 ? S 07:12 0:00 kio_file [kdeinit] file /home/<user>/tmp/ksocke

<user> 6139 0.0 1.4 27912 7260 ? SL 07:12 0:07 /usr/bin/artsd -F 10 -S 4096 -d -n -s 60 -m a

<user> 6142 0.0 2.0 28060 10272 ? S 07:12 0:00 kaccess [kdeinit]

<user> 6144 0.0 4.5 31692 22556 ? S 07:12 0:01 /usr/bin/perl /usr/bin/net_applet

<user> 6147 0.0 2.9 31692 14584 ? S 07:12 0:00 kmix [kdeinit] -caption KMix -icon kmix -mini

<user> 6150 0.0 2.3 28400 11496 ? S 07:12 0:00 klipper [kdeinit]

<user> 6154 0.0 2.7 36868 13800 ? S 07:12 0:00 knotify [kdeinit]

<user> 6163 0.0 0.1 2668 868 ? S 07:12 0:00 xsettings-kde

<user> 6171 0.0 2.6 31008 13288 ? S 07:12 0:00 korgac --miniicon korganizer

postfix 6606 0.0 0.3 4816 1568 ? S 10:21 0:00 pickup -l -t fifo -u -c -o content_filter -o

<user> 6624 0.0 0.3 3948 1508 ? S 11:21 0:00 /bin/sh /usr/bin/mozilla-firefox

<user> 6629 0.0 0.3 3988 1520 ? S 11:21 0:00 /bin/sh /usr/lib/mozilla-firefox-1.5.0.7/run-

<user> 6634 4.9 9.7 121000 48568 ? Sl 11:21 0:38 /usr/lib/mozilla-firefox-1.5.0.7/mozilla-fire

<user> 6638 0.0 0.5 5140 2580 ? S 11:21 0:00 /usr/lib/gconfd-2 12

<user> 6642 0.2 3.2 34088 16400 ? R 11:22 0:01 konsole [kdeinit]

<user> 6643 0.0 0.3 4128 1876 pts/1 Ss 11:22 0:00 /bin/bash

root 6716 0.0 0.2 3436 1140 pts/1 S 11:22 0:00 su

root 6719 0.0 0.3 3612 1612 pts/1 S 11:22 0:00 bash

root 6782 0.0 0.1 2280 900 pts/1 R+ 11:34 0:00 ps aux

Edited November 10, 2006 by riseringseeker

[tyme]

you netstat and ps -aux look good, the only thing I would suggest (and this is default on Mandriva, though I don't know why) is turning off sunrpc. I believe you can do this in Services in the Mandriva Control Center, just look for "rpc" or "sunrpc" and switch off "on boot". You shouldn't needs this, and it often has security holes in it.

[riseringseeker]

You can check, and always symlink python2.4 to the 2.43 installation if it doesn't exist.

 

Check... what?

 

I have had to soft link files before, but if you could lead me through how to symlink a directory I would appreciate it. I assume the link has to be in /usr/lib/python2.4 folder?

 

Is there a handy way to find symlinks, whether all of them, or what is linked to something?

[riseringseeker]

try a different port for a week .... :D works wonders....

 

I have been trying to run a different port, and when I setup a different one I can't get on the desktop from the laptop. I think it has to do with the router setup. This is what it defaults to when setting up a ssh server:

 

 

I have, of course set sshd_config to a different port, but am not sure how I should set up the above.

 

try using denyhosts (a package)... it automatically bans IP's for X number of failed logins.by adding to your hosts.deny.. and mails you.

My hosts.deny has well over 5000 entries....

 

Need to figure out how to symlink python2.4.3 to python2.4. then I might be able to get it running.

[Gowator]

Need to figure out how to symlink python2.4.3 to python2.4. then I might be able to get it running.

Going to be now but its exactly like a file.... you just name a directoriy instead of the file you want to symlink...

[riseringseeker]

 

Need to figure out how to symlink python2.4.3 to python2.4. then I might be able to get it running.

Going to be now but its exactly like a file.... you just name a directoriy instead of the file you want to symlink...

 

I found that symlinking was not what I needed to do after looking through the denyhosts mailing list, but instead just install without dependencies (after installing the python development libraries)

 

rpm --install --nodeps DenyHosts-2.5-python2.4.noarch.rpm

 

That got me much further, but when I run the install I get another error.

 

# python setup.py install
running install
running build
running build_py
error: package directory 'DenyHosts' does not exist

 

Still digging in the mailing list on denyhosts to figure that one out, and if I can't find out how to do it there, will start a new thread under installation about how to get it running.