Repeated attacks via SSH
Clemens Renner
claim at rinux.net
Mon Oct 3 04:00:37 PDT 2005
Tod McQuillin wrote:
> What happens is that there are two kinds of messages from ssh in
> /var/log/auth.log. When an attacker tries a nonexistent user, you get
>
> Oct 2 13:00:03 plexi sshd[79194]: Illegal user bob from 83.142.49.11
>
> When an attacker tries an existing user, you get
>
> Oct 2 13:01:47 plexi sshd[79286]: Failed password for www from
> 83.142.49.11 port 42480 ssh2
I happen to see different entries in my daily security run output:
Failed password for illegal user qscand from 217.20.119.212 port 50657 ssh2
So I guess I am noticed about both kinds of attacks.
By the way, does anyone of you see a threat in disclosing this kind of
log output to the network abuse departments of the corresponding
hosters? Often, I encounter intrusion attempts from rented servers where
there is an authority above the abuser able to step in.
And --on an unrelated matter-- funny to see that we even have trolls
here. :)
Cheers
Clemens
More information about the freebsd-security
mailing list