DragonFly users List (threaded) for 2005-03
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
[
Date Index][
Thread Index]
Re: Note to LEAF users on ssh logins
On Wed, 2 Mar 2005 19:23:16 -0800 (PST), Matthew Dillon
<dillon@xxxxxxxxxxxxxxxxxxxx> wrote:
Leaf and, in fact, all of my machines which have open ssh ports are
getting
random hack attempts, about 20-30 a day in short bursts, usually
from a
different IP address each day. I talked with a few sysop friends and
their boxes are getting similar traffic. The hack attempts primarily
try to ssh to root, admin, and a bunch of microsoft-soundy names.
It looks
fairly coordinated, like it is trying a couple of passwords a each
day
then trying again with different passwords the next day.
While none of my machines allow passworded logins over ssh
(especially
not for root), and LEAF accounts are all '*'d out (key only logins),
I am rather disquieted by the continuous attempts so I have written
and
intalled a little program to monitor the syslog which will
automatically
block failed password or illegal user login attempts.
It isn't very refined yet so if you find yourself locked out of leaf
send me an email!
-Matt
Matthew Dillon
<dillon@xxxxxxxxxxxxx>
Mar 3 16:48:39 everest sshd[30735]: Failed password for invalid user
larisa from 24.136.209.29 port 2404 ssh2
Mar 3 16:48:41 everest sshd[30744]: Failed password for invalid user
shell from 24.136.209.29 port 2460 ssh2
Mar 3 16:48:45 everest sshd[30750]: Failed password for invalid user jane
from 24.136.209.29 port 2574 ssh2
Mar 3 16:48:47 everest sshd[30759]: Failed password for invalid user
shell from 24.136.209.29 port 2664 ssh2
Mar 3 16:48:49 everest sshd[30762]: Failed password for invalid user dog
from 24.136.209.29 port 2696 ssh2
Mar 3 16:48:52 everest sshd[30766]: Failed password for invalid user jane
from 24.136.209.29 port 2774 ssh2
Mar 3 16:48:54 everest sshd[30774]: Failed password for invalid user blue
from 24.136.209.29 port 2847 ssh2
Mar 3 16:48:56 everest sshd[30778]: Failed password for invalid user dog
from 24.136.209.29 port 2915 ssh2
Mar 3 16:48:58 everest sshd[30785]: Failed password for invalid user red
from 24.136.209.29 port 2968 ssh2
Mar 3 16:49:00 everest sshd[30794]: Failed password for invalid user blue
from 24.136.209.29 port 3028 ssh2
Mar 3 16:49:02 everest sshd[30797]: Failed password for invalid user
yellow from 24.136.209.29 port 3076 ssh2
Mar 3 16:49:04 everest sshd[30801]: Failed password for invalid user red
from 24.136.209.29 port 3152 ssh2
Mar 3 16:49:06 everest sshd[30808]: Failed password for invalid user
green from 24.136.209.29 port 3204 ssh2
Mar 3 16:49:08 everest sshd[30811]: Failed password for invalid user
yellow from 24.136.209.29 port 3270 ssh2
Mar 3 16:49:10 everest sshd[30814]: Failed password for invalid user
black from 24.136.209.29 port 3325 ssh2
Mar 3 16:49:12 everest sshd[30818]: Failed password for invalid user
green from 24.136.209.29 port 3392 ssh2
Mar 3 16:49:14 everest sshd[30821]: Failed password for invalid user pub
from 24.136.209.29 port 3455 ssh2
Mar 3 16:49:16 everest sshd[30824]: Failed password for invalid user
black from 24.136.209.29 port 3513 ssh2
. ..
478 login attempts for bogus accounts in hte last 3 or so days
it's a worm, any questions?
Mar 3 16:48:22 everest sshd[30712]: Failed password for invalid user god
from 24.136.209.29 port 1901 ssh2
Mar 3 16:48:25 everest sshd[30715]: Failed password for invalid user
barbara from 24.136.209.29 port 1990 ssh2
Mar 3 16:48:28 everest sshd[30718]: Failed password for invalid user god
from 24.136.209.29 port 2055 ssh2
Oh so leet, they watched Hackers.
Don't worry too much about it, its a worm. :)
[root@XXXXXXXX /var/log]# cat messages | grep sshd | grep Failed | grep
invalid | wc -l
478
TSUME
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
[
Date Index][
Thread Index]