Date: Fri, 14 Nov 2008 23:37:15 -0800 From: Jeremy Chadwick <koitsu@FreeBSD.org> To: Lisa Casey <lisa@mail.jellico.com> Cc: freebsd-questions@freebsd.org Subject: Re: Question about entry in auth.log Message-ID: <20081115073714.GA66093@icarus.home.lan> In-Reply-To: <20081114215444.C8966@mail.jellico.com> References: <B8B09B39A8884900970CF2434D40F6C4@CaseyHome> <BAY122-DAV1214B45821956EB1D7B782BA110@phx.gbl> <692726B5-52B5-46AC-9C79-41553179AF36@comcast.net> <20081114215444.C8966@mail.jellico.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Nov 14, 2008 at 10:00:13PM -0500, Lisa Casey wrote: > Very odd. Sigh, Michael is not vacationing in Romania. Doubt he's ever > been there. I got rid of the michael account (it wasn't used anyway), and > downloaded a new copy of chkrootkit, installed it and ran it along with > chklastlog and chkwtmp. Nothing was found. Pehaps this was a harmless > enough prank? Anything else I ought to look at? Fortunately the michael > account did not have te ability to su to root. The individual in Romania *was not* able to log in as michael. The message you saw was sshd saying "Someone's trying to SSH in as user michael; SSH key negotiation failed, and now I'm asking them to type in their password manually". It's not a prank. Shady online individuals have written scripts/tools that repetitively beat on sshd, trying to find an account they can log in as. They're simply scanning for valid accounts, and they also often try many passwords over and over (common things, such as the username as a password). Welcome to the Internet circa 2008. :( "So how do I solve this problem?" The easiest way: change sshd to listen on a port *other* than 22. Many people pick 2222. This relieves 99% of the pain, but requires you to tell your users/co-workers/peers "My box listens on port 2222 for ssh, not 22". A secondary way: programs which monitor logs and add firewall block rules when they see too many brute force attempts coming from an IP address: ports/security/blocksshd ports/security/sshblock ports/security/sshguard (I think I forgot one more, but those are the main three) -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081115073714.GA66093>