From owner-freebsd-security@FreeBSD.ORG Mon Oct 3 11:00:37 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 73A8E16A41F for ; Mon, 3 Oct 2005 11:00:37 +0000 (GMT) (envelope-from claim@rinux.net) Received: from rinux.net (rinux.net [81.169.157.144]) by mx1.FreeBSD.org (Postfix) with ESMTP id 05BAC43D4C for ; Mon, 3 Oct 2005 11:00:36 +0000 (GMT) (envelope-from claim@rinux.net) Received: from localhost (localhost [127.0.0.1]) by rinux.net (Postfix) with ESMTP id D9206484419 for ; Mon, 3 Oct 2005 13:00:34 +0200 (CEST) Received: from rinux.net ([127.0.0.1]) by localhost (rinux.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 09115-19 for ; Mon, 3 Oct 2005 13:00:33 +0200 (CEST) Received: from [10.0.0.3] (i53878FA0.versanet.de [83.135.143.160]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by rinux.net (Postfix) with ESMTP id 9CCD2484418 for ; Mon, 3 Oct 2005 13:00:33 +0200 (CEST) Message-ID: <43410F51.5010607@rinux.net> Date: Mon, 03 Oct 2005 13:00:33 +0200 From: Clemens Renner User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <6.2.3.4.2.20051002153930.07a50528@localhost> <20051003145046.A30969@plexi.pun-pun.prv> In-Reply-To: <20051003145046.A30969@plexi.pun-pun.prv> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new/F-Prot at rinux.net Subject: Re: Repeated attacks via SSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Oct 2005 11:00:37 -0000 Tod McQuillin wrote: > What happens is that there are two kinds of messages from ssh in > /var/log/auth.log. When an attacker tries a nonexistent user, you get > > Oct 2 13:00:03 plexi sshd[79194]: Illegal user bob from 83.142.49.11 > > When an attacker tries an existing user, you get > > Oct 2 13:01:47 plexi sshd[79286]: Failed password for www from > 83.142.49.11 port 42480 ssh2 I happen to see different entries in my daily security run output: Failed password for illegal user qscand from 217.20.119.212 port 50657 ssh2 So I guess I am noticed about both kinds of attacks. By the way, does anyone of you see a threat in disclosing this kind of log output to the network abuse departments of the corresponding hosters? Often, I encounter intrusion attempts from rented servers where there is an authority above the abuser able to step in. And --on an unrelated matter-- funny to see that we even have trolls here. :) Cheers Clemens