On Mar 13, 2006, at 6:43 AM, Dominik Składanowski wrote:
Hello list.
Today I saw something strange in logs one of my servers. Part of the /var/log/security:
Mar 12 15:01:03 server sshd[28505]: Invalid user abc from ::ffff:x.x.x.x Mar 12 15:01:03 server sshd[28503]: Invalid user ab from ::ffff:x.x.x.x Mar 12 15:01:03 server sshd[28507]: Invalid user abcd from ::ffff:x.x.x.x Mar 12 15:01:03 server sshd[28509]: Invalid user abcde from ::ffff:x.x.x.x Mar 12 15:01:03 server sshd[28511]: Invalid user abcdef from ::ffff:x.x.x.x Mar 12 15:01:04 server sshd[28515]: Invalid user abcdefgh from ::ffff:x.x.x.x Mar 12 15:01:04 server sshd[28513]: Invalid user abcdefg from ::ffff:x.x.x.x
"abcdefgh" is my username to the different machine in the other domain, x.x.x.x it's my workstation. Yesterday, I loged into machine where my login is "abcdefgh" from x.x.x.x. But not to the "server".
Anybody has an idea?
looks like a dictionary attack to me; i get these all the time, sometimes with sufficient intensity that they crash my gateway router (boo!). these have been discussed recently on-list:
1) consider running sshd on a nonstandard port to dodge the bulk of this 2) consider using port knocking (i think i remember apf being one suggested package) 3) make sure you haven't enabled ssh login for any of the generic accountnames they use, and make sure your passwords are strong
-steve
--- If this were played upon a stage now, I could condemn it as an improbable fiction. - Fabian, Twelfth Night, III,v