Date: Mon, 03 Oct 2005 13:00:33 +0200 From: Clemens Renner <claim@rinux.net> To: freebsd-security@freebsd.org Subject: Re: Repeated attacks via SSH Message-ID: <43410F51.5010607@rinux.net> In-Reply-To: <20051003145046.A30969@plexi.pun-pun.prv> References: <6.2.3.4.2.20051002153930.07a50528@localhost> <20051003145046.A30969@plexi.pun-pun.prv>
next in thread | previous in thread | raw e-mail | index | archive | help
Tod McQuillin wrote: > What happens is that there are two kinds of messages from ssh in > /var/log/auth.log. When an attacker tries a nonexistent user, you get > > Oct 2 13:00:03 plexi sshd[79194]: Illegal user bob from 83.142.49.11 > > When an attacker tries an existing user, you get > > Oct 2 13:01:47 plexi sshd[79286]: Failed password for www from > 83.142.49.11 port 42480 ssh2 I happen to see different entries in my daily security run output: Failed password for illegal user qscand from 217.20.119.212 port 50657 ssh2 So I guess I am noticed about both kinds of attacks. By the way, does anyone of you see a threat in disclosing this kind of log output to the network abuse departments of the corresponding hosters? Often, I encounter intrusion attempts from rented servers where there is an authority above the abuser able to step in. And --on an unrelated matter-- funny to see that we even have trolls here. :) Cheers Clemens
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43410F51.5010607>