DragonFly BSD
DragonFly users List (threaded) for 2005-03
[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]

Re: Note to LEAF users on ssh logins


From: Tsume <tsume@xxxxxxxxxxxxx>
Date: Thu, 03 Mar 2005 22:55:16 -0500

On Wed, 2 Mar 2005 19:23:16 -0800 (PST), Matthew Dillon <dillon@xxxxxxxxxxxxxxxxxxxx> wrote:

Leaf and, in fact, all of my machines which have open ssh ports are getting
random hack attempts, about 20-30 a day in short bursts, usually from a
different IP address each day. I talked with a few sysop friends and
their boxes are getting similar traffic. The hack attempts primarily
try to ssh to root, admin, and a bunch of microsoft-soundy names. It looks
fairly coordinated, like it is trying a couple of passwords a each day
then trying again with different passwords the next day.


While none of my machines allow passworded logins over ssh (especially
not for root), and LEAF accounts are all '*'d out (key only logins),
I am rather disquieted by the continuous attempts so I have written and
intalled a little program to monitor the syslog which will automatically
block failed password or illegal user login attempts.


    It isn't very refined yet so if you find yourself locked out of leaf
    send me an email!

					-Matt
					Matthew Dillon
					<dillon@xxxxxxxxxxxxx>

Mar 3 16:48:39 everest sshd[30735]: Failed password for invalid user larisa from 24.136.209.29 port 2404 ssh2
Mar 3 16:48:41 everest sshd[30744]: Failed password for invalid user shell from 24.136.209.29 port 2460 ssh2
Mar 3 16:48:45 everest sshd[30750]: Failed password for invalid user jane from 24.136.209.29 port 2574 ssh2
Mar 3 16:48:47 everest sshd[30759]: Failed password for invalid user shell from 24.136.209.29 port 2664 ssh2
Mar 3 16:48:49 everest sshd[30762]: Failed password for invalid user dog from 24.136.209.29 port 2696 ssh2
Mar 3 16:48:52 everest sshd[30766]: Failed password for invalid user jane from 24.136.209.29 port 2774 ssh2
Mar 3 16:48:54 everest sshd[30774]: Failed password for invalid user blue from 24.136.209.29 port 2847 ssh2
Mar 3 16:48:56 everest sshd[30778]: Failed password for invalid user dog from 24.136.209.29 port 2915 ssh2
Mar 3 16:48:58 everest sshd[30785]: Failed password for invalid user red from 24.136.209.29 port 2968 ssh2
Mar 3 16:49:00 everest sshd[30794]: Failed password for invalid user blue from 24.136.209.29 port 3028 ssh2
Mar 3 16:49:02 everest sshd[30797]: Failed password for invalid user yellow from 24.136.209.29 port 3076 ssh2
Mar 3 16:49:04 everest sshd[30801]: Failed password for invalid user red from 24.136.209.29 port 3152 ssh2
Mar 3 16:49:06 everest sshd[30808]: Failed password for invalid user green from 24.136.209.29 port 3204 ssh2
Mar 3 16:49:08 everest sshd[30811]: Failed password for invalid user yellow from 24.136.209.29 port 3270 ssh2
Mar 3 16:49:10 everest sshd[30814]: Failed password for invalid user black from 24.136.209.29 port 3325 ssh2
Mar 3 16:49:12 everest sshd[30818]: Failed password for invalid user green from 24.136.209.29 port 3392 ssh2
Mar 3 16:49:14 everest sshd[30821]: Failed password for invalid user pub from 24.136.209.29 port 3455 ssh2
Mar 3 16:49:16 everest sshd[30824]: Failed password for invalid user black from 24.136.209.29 port 3513 ssh2


. ..

478 login attempts for bogus accounts in hte last 3 or so days
it's a worm, any questions?
Mar 3 16:48:22 everest sshd[30712]: Failed password for invalid user god from 24.136.209.29 port 1901 ssh2
Mar 3 16:48:25 everest sshd[30715]: Failed password for invalid user barbara from 24.136.209.29 port 1990 ssh2
Mar 3 16:48:28 everest sshd[30718]: Failed password for invalid user god from 24.136.209.29 port 2055 ssh2


Oh so leet, they watched Hackers.

Don't worry too much about it, its a worm. :)
[root@XXXXXXXX /var/log]# cat messages | grep sshd | grep Failed | grep invalid | wc -l
478


TSUME



[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]