Date: Mon, 3 Oct 2005 14:56:17 +0900 (JST) From: Tod McQuillin <devin@spamcop.net> To: Brett Glass <brett@lariat.org> Cc: freebsd-security@freebsd.org Subject: Re: Repeated attacks via SSH Message-ID: <20051003145046.A30969@plexi.pun-pun.prv> In-Reply-To: <6.2.3.4.2.20051002153930.07a50528@localhost> References: <6.2.3.4.2.20051002153930.07a50528@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 2 Oct 2005, Brett Glass wrote: > But wait... there's more. The interesting thing about these attacks is > that the user IDs for which passwords are being guessed aren't coming > from a completely fixed list. Besides guessing at the passwords for > root, toor, news, admin, test, guest, webmaster, sshd, and mysql, the > bots are also trying to get into our mail exchangers via user IDs which > are the actual names of users for whom the machines receive mail. I had a similar fear myself, but when I took a closer look, I realised it was not actually the case that the attackers had specific knowledge of the users on my server. What happens is that there are two kinds of messages from ssh in /var/log/auth.log. When an attacker tries a nonexistent user, you get Oct 2 13:00:03 plexi sshd[79194]: Illegal user bob from 83.142.49.11 When an attacker tries an existing user, you get Oct 2 13:01:47 plexi sshd[79286]: Failed password for www from 83.142.49.11 port 42480 ssh2 In my case, attackers are trying a big list of usernames, and I get both kinds of messages in my auth.log. However, in the daily security mail to root, only the "Failed password" messages are included, so if that's all you see you get the impression that attackers are specifically targetting your users. At least, that is what I thought at first. But when I took a closer look at auth.log, it became clear that that's not what was really happening. Maybe this is the case for Brett as well. -- Tod McQuillin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051003145046.A30969>