Does this mean some one is trying to access my system?

yosepht · Post by **yosepht** » Sat Dec 12, 2009 5:07 pm

I found these client IP addresses in my apache error log and non of these are addresses
that I have used. Is a strong password enough or do I need a software to protect my
system? thanks.

[Fri Dec 11 01:06:18 2009] [error] [client 71.96.21.105] File does not exist: /var/www/MNG
[Fri Dec 11 07:27:55 2009] [error] [client 121.10.141.208] File does not exist: /var/www/scripts
[Fri Dec 11 07:27:56 2009] [error] [client 121.10.141.208] File does not exist: /var/www/scripts
[Fri Dec 11 07:27:57 2009] [error] [client 121.10.141.208] File does not exist: /var/www/phpMyAdmin
[Fri Dec 11 07:27:58 2009] [error] [client 121.10.141.208] File does not exist: /var/www/sql
[Fri Dec 11 07:27:59 2009] [error] [client 121.10.141.208] File does not exist: /var/www/mysql
[Fri Dec 11 10:57:11 2009] [error] [client 71.96.21.105] File does not exist: /var/www/MNG
[Fri Dec 11 23:34:56 2009] [error] [client 61.139.105.163] File does not exist: /var/www/fastenv
[Sat Dec 12 01:58:17 2009] [error] [client 61.160.216.63] script '/var/www/prx2.php' not found or unable to stat
[Sat Dec 12 05:02:09 2009] [error] [client 89.200.172.132] File does not exist: /var/www/user
[Sat Dec 12 07:09:53 2009] [error] [client 67.18.244.106] File does not exist: /var/www/phpMyAdmin
[Sat Dec 12 07:12:13 2009] [error] [client 67.18.244.106] File does not exist: /var/www/phpmyadmin

curtishall · Post by **curtishall** » Sat Dec 12, 2009 6:53 pm

Yes...a bot is trying to look for insecure systems.

You should install fail2ban: http://www.fail2ban.org/wiki/index.php/Apache

whatboy · Post by **whatboy** » Sat Dec 12, 2009 7:35 pm

I don't think fail2ban would block that... that is some one typing random links on the browser to your site... fail2ban can only block those who fail to connect...

Post by **cordel** » Sun Dec 13, 2009 9:48 am

This is very likely BOT activity looking for know weaknesses in those applications.
If you don't have any of those applications installed, you have not to much to be concerned about.

Fail2ban only works with PAM and the SSH server, so unless you have port 22 open you do not need it.

yosepht · Post by **yosepht** » Sun Dec 13, 2009 3:04 pm

All I have on the system is zoneminder for home surveillance but, I would still like to have
it secure. I use Putty to occasionally access the system. How do I change that to another
port other than port 22? thanks

curtishall · Post by **curtishall** » Sun Dec 13, 2009 9:23 pm

whatboy wrote:I don't think fail2ban would block that... that is some one typing random links on the browser to your site... fail2ban can only block those who fail to connect...

fail2ban won't directly, but any _public_ computer on the internet needs to have fail2ban anyway. Some distros install stupid things by default that are prone to brute force attacks.

Post by **cordel** » Mon Dec 14, 2009 7:31 am

You can change the port in the ssh config, typically located in /etc/ssh(d) but is distro dependent.

whatboy · Post by **whatboy** » Mon Dec 14, 2009 4:32 pm

Or just disable root access, most kiddy attacks use common names for user name, like root, admin, administrator, etc...

ZoneMinder Forums

Does this mean some one is trying to access my system?

Does this mean some one is trying to access my system?

Re: Does this mean some one is trying to access my system?