From owner-freebsd-questions@FreeBSD.ORG Wed May 18 05:19:52 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 64D8F16A4CE for ; Wed, 18 May 2005 05:19:52 +0000 (GMT) Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.46]) by mx1.FreeBSD.org (Postfix) with ESMTP id F1E0543D7E for ; Wed, 18 May 2005 05:19:48 +0000 (GMT) (envelope-from peterkropholler@mac.com) Received: from mac.com (smtpin01-en2 [10.13.10.146])id j4I5JlCp006407 for ; Tue, 17 May 2005 22:19:47 -0700 (PDT) Received: from [10.0.1.3] (82-69-50-179.dsl.in-addr.zen.co.uk [82.69.50.179]) (authenticated bits=0) by mac.com (Xserve/smtpin01/MantshX 4.0) with ESMTP id j4I5JjXc001941 for ; Tue, 17 May 2005 22:19:47 -0700 (PDT) Mime-Version: 1.0 (Apple Message framework v730) To: freebsd-questions@freebsd.org Message-Id: From: Peter Kropholler Date: Tue, 17 May 2005 15:36:45 +0100 X-Mailer: Apple Mail (2.730) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: illegal user root user failed login attempts X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 May 2005 05:19:52 -0000 This link might help: http://seclists.org/lists/incidents/2005/Feb/0004.html Karol, Thanks for this pointer. There are two really important pieces of advice on that web page which persuade me to ditch any thoughts of trying to determine what passwords people are using with their illegal login scams: 1. it's probably illegal 2. it potentially gives hackers an excuse: someone else knew their password?! As things stand, ssh is designed so you can't get at people's passwords and I am leaving it alone. Focussing instead on the task of making sure my passwords are strong, limiting AllowUsers to specific users and trusted ip addresses, and moving ssh off port 22. Other advice I received was to consider logging ip addresses and sending complaints to the relevant authorities: however I doubt that there is very much point in doing so since my guess is that most scams come from hacked machines anyway. Basically you never see the same ip address twice. many thanks Peter K