asl.log entry

[heluani]

Hi there, lately my browser's been taking forever to start downloading a page. I don't know why I decided to take a look at the logs and I found in the asl.log several (thousands) of entries like the following

Code:

[Time 2007.02.24 01:04:36 UTC] [Facility authpriv] [Sender com.apple.SecurityServer] [PID -1] [Message authinternal failed to authenticate user root.] [Level 3] [UID -2] [GID -2] [Host Porron]

Code:

[Time 2007.02.24 01:04:36 UTC] [Facility authpriv] [Sender com.apple.SecurityServer] [PID -1] [Message Failed to authorize right system.login.tty by process /usr/sbin/sshd for authorization created by /usr/sbin/sshd.] [Level 5] [UID -2] [GID -2] [Host Porron]

Are these normal?

R.

[ElectricSheep]

I'm curious...how are you connected to the internet? Do you have a Firewall/Router sitting between you and your internet connection? If yes, do you have port forwarding set up on the Firewall/Router for Remote Access?

Someone could be hammering your Mac attempting to brute force their way into SSH to gain root access.

[heluani]

Quote: Originally Posted by ElectricSheep I'm curious...how are you connected to the internet? Do you have a Firewall/Router sitting between you and your internet connection? If yes, do you have port forwarding set up on the Firewall/Router for Remote Access? Someone could be hammering your Mac attempting to brute force their way into SSH to gain root access.

Ooops, I'm sorry for the delay, I've been out of town. Answering your questions:

1) I am connected to the internet via a cable modem and behind a router doing NAT.

2) I did have the router forwarding the ssh ports to one particular IP that it's (usually) assigned to my desktop. (Here's another topic, In my setup I have a desktop connected to the router through ethernet and wireless, and a laptop to wireless, using DHCP on the router I don't know how to tell the desktop to use the ethernet interface by default, nor the router to assign a particular IP number to the ethernet connection, the router is a standard Linksys BEFW11S4)

3) I had however the firewall on both desktop and laptop working, but allowing incoming connections to the ssh ports.

4) When I stop forwarding ports on the router I stop getting those logs entries, supporting the theory that someone is trying to "hammer" (as you put it) my ssh server. But I find it strange that some kid that knows how to brute force attack a mac server will be trying with a particular home...

Anyways, going through all my logs I can't say that someone actually did break into (though they could be much smarter than me and have erased tracks) and I started looking at those logs cause the issue with my browser (the original post) and this just supports the theory that those logs just mean something that I have no clue about!

Thanks,

R.

[ElectricSheep]

Quote: But I find it strange that some kid that knows how to brute force attack a mac server will be trying with a particular home...

These kinds of attacks are usually automated by a script that scans a range of IP addresses for open services (in your case it was SSH) and then tried a number of different expoloits/attacks on that service to gain access. You'd be surprised what kinds of traffic filters its way to the casual home internet user. I used to keep a live monitor on my firewall, and I would see all kinds of remote exploits, worms, and password attacks coming off of the Comcast network.