Security threat? Exploit attempt?

ericmurphy

Registered
I was going through my system log recently, for a completely unrelated reason, when I came across the following entries:


Feb 27 17:04:23 DeepBlu DirectoryService[38]: Failed Authentication return is being delayed due to over five recent auth failures for username: <user2>.
Feb 27 17:18:06 DeepBlu DirectoryService[38]: Failed Authentication return is being delayed due to over five recent auth failures for username: <user3>.
Feb 27 17:21:15 DeepBlu DirectoryService[38]: Failed Authentication return is being delayed due to over five recent auth failures for username: <user1>.
Feb 27 17:23:41 DeepBlu DirectoryService[38]: Failed Authentication return is being delayed due to over five recent auth failures for username: <user1>.

(Obviously I replaced the names of actual user accounts with <userx>)

Is this evidence of an attempt to break into my system? It looks like an attempt to login (not sure whether via ssh, ftp, etc) one each of three different accounts (there are five other accounts, but these would be the three most obvious to someone who knows me pretty well). Fortunately, none of the three are administrative accounts, but it's got me worried nevertheless. Only one of these accounts is likely to be used on any given day, and these log entries are all within a few minutes of each other.

Or are these just common system errors?
 
I've seen something like that within the logs of an IRIX workstation, and I would guess it was, in my case, an automated attempt to login to the system using common usernames. In your case, assuming your account names are obscure (i.e. not something like "john!"), then it could well be that someone who knows you is trying to get in, unless your usernames and passwords were somehow easy to intercept at another point (eg. not using ssh or sftp, but using unencrypted methods instead).

There are a few things you can do, such as avoid enabling the root account (trying to login as "root" is a fairly reasonable guess if the attempts are indeed automated), don't enable any services unless really necessary, restrict remote logins to certain users, ensure your firewall is on, use NAT and port forwarding if behind a router, and you can deny access to certain IP addresses if you have frequent connection attempts from one location... or... better yet... deny access to all IP addresses except a very, very limited few!
 
Back
Top