Forums

Resolved
0 votes
Hi -

I am seeing odd behavior in my logs. I am seeing logins via sshd or local network at odd hours. I am seeing logins for clearconsole that i am not sure about. Neither Intrusion Detection or Intrusion Prevention flagged anything or logged anything.

I have failed logins from a local computer with unknown username(s) and prtocols. See snip below.
I also have logins and outs at odd times - 3AM, 5AM.

I am trying to look at my logs to coorelate the IP's of where these came from but i can not tell yet what/where/when.

https://i.imgur.com/pg8dKS1.png

https://i.imgur.com/m0W8Mma.png

What I am seeing is a couple minutes after other user connects via VPN and logs into workstation, named cad1 at 10.1.10.33 then there is an attempted root login via sshd, or in the case of this morning, those failed logins from the PC directly.

ssh server was configured to not connect to external networks - " Information The app is installed, but the firewall is not allowing connections from external networks. "

The user did not make legitmate attempts to login to the clearOS box.

Are there more efficient tools to filter the logs and make them more huamn readable?

Am I correct to assume that I have an intrusion?
Monday, November 08 2021, 11:45 PM
Share this post:
Responses (1)
  • Accepted Answer

    Tuesday, November 09 2021, 08:36 AM - #Permalink
    Resolved
    0 votes
    To examine logs I use WinSCP, but use of "grep" can help narrow down on a problem. Logs are generally somewhere under /var/log, so you you could do something like:
    grep sshd /var/log/secure
    and you will see all the rubbish coming in if you have your firewall open.

    For the firewall, what do you get from:
    iptables -nvL INPUT
    and please put the results between "code" tags.

    I am not seeing the correlation between the OpenVPN log and the other events. Check the secure log. I would be concerned about connection attempts from 10.1.10.33 but it could be that the workstation has been compromised or something at the other end of the VPN. Check your logs. If there are successful ssh connections which should not be there, then be worried. At a minimum change your ssh password, but then you will also need to check that whoever connected has not left a backdoor open.

    You could turn off password access and just use ssh keys - https://documentation.clearos.com/content:en_us:kb_7_securing_ssh.
    The reply is currently minimized Show
Your Reply