From owner-freebsd-security@FreeBSD.ORG Fri Aug 13 14:14:39 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4F5AA16A4CE for ; Fri, 13 Aug 2004 14:14:39 +0000 (GMT) Received: from mail.ki.iif.hu (mignon.ki.iif.hu [193.6.222.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2269A43D5D for ; Fri, 13 Aug 2004 14:14:38 +0000 (GMT) (envelope-from mohacsi@niif.hu) Received: from localhost (localhost [127.0.0.1]) by mail.ki.iif.hu (Postfix) with ESMTP id 34EF154FB; Fri, 13 Aug 2004 16:14:36 +0200 (CEST) Received: from mail.ki.iif.hu ([127.0.0.1]) by localhost (mignon.ki.iif.hu [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 98757-01-25; Fri, 13 Aug 2004 16:14:29 +0200 (CEST) Received: by mail.ki.iif.hu (Postfix, from userid 1003) id C99FA54E9; Fri, 13 Aug 2004 16:14:29 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by mail.ki.iif.hu (Postfix) with ESMTP id C7A5954C6; Fri, 13 Aug 2004 16:14:29 +0200 (CEST) Date: Fri, 13 Aug 2004 16:14:29 +0200 (CEST) From: Mohacsi Janos X-X-Sender: mohacsi@mignon.ki.iif.hu To: Sandor Berta In-Reply-To: <411CCAAE.7020505@beco.hu> Message-ID: <20040813160928.M82373@mignon.ki.iif.hu> References: <411CCAAE.7020505@beco.hu> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Virus-Scanned: by amavisd-new at mail.ki.iif.hu cc: freebsd-security@freebsd.org Subject: Re: sequences in the auth.log X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Aug 2004 14:14:39 -0000 Hi Sandor, You don't have to worry, unless you have user 'test', 'guest', 'admin', 'root' with poor password: typically same or very similar to your accountname. There seems to be a script around the hackers to scan SSH and gain access to poorly configured servers.... Unfortunately they are plenty of badly configured servers. May be you should disable root access via SSH password (only via keys). Regards, Janos Mohacsi Network Engineer, Research Associate NIIF/HUNGARNET, HUNGARY Key 00F9AF98: 8645 1312 D249 471B DBAE 21A2 9F52 0D1F 00F9 AF98 On Fri, 13 Aug 2004, Sandor Berta wrote: > Hi all, > I found similar sequences in the > /var/auth.log files of freebsd boxes, I supervise.: > Aug 13 13:56:08 www sshd[26091]: Illegal user test from 165.21.103.20 > Aug 13 13:56:11 www sshd[26093]: Illegal user guest from 165.21.103.20 > Aug 13 13:56:15 www sshd[26096]: Illegal user admin from 165.21.103.20 > Aug 13 13:56:18 www sshd[26103]: Illegal user admin from 165.21.103.20 > Aug 13 13:56:21 www sshd[26105]: Illegal user user from 165.21.103.20 > Aug 13 13:56:25 www sshd[26107]: Failed password for root from 165.21.103.20 > port 39678 ssh2 > Aug 13 13:56:28 www sshd[26109]: Failed password for root from 165.21.103.20 > port 39760 ssh2 > Aug 13 13:56:32 www sshd[26111]: Failed password for root from 165.21.103.20 > port 39836 ssh2 > Aug 13 13:56:35 www sshd[26113]: Illegal user test from 165.21.103.20 > Aug 13 14:25:36 www sshd[26485]: Illegal user test from 202.28.120.57 > Aug 13 14:25:41 www sshd[26487]: Illegal user guest from 202.28.120.57 > > What are these? > > bye > Sandor Berta > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >