Mike Leone on 26 Apr 2005 14:13:24 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] Increase in SSH break-in attempts? 

Anybody else noticing an increase lately, in the number of break-in attempts
via SSH? I'm seeing more and more things like this, over the last few weeks:


----- Forwarded message from logcheck@localhost -----

> Date: Tue, 26 Apr 2005 10:02:16 -0400 (EDT)
> From: logcheck@localhost
> To: root@localhost
> Subject: mail 2005-04-26 10:02 Security Events
> 
> This email is sent by logcheck. If you wish to no-longer receive it,
> you can either deinstall the logcheck package or modify its
> configuration file (/etc/logcheck/logcheck.conf).
> 
> Security Events
> =-=-=-=-=-=-=-=
> Apr 26 09:16:41 mail sshd[23067]: (pam_securetty) access denied: tty 'ssh' is not secure !
> Apr 26 09:46:37 mail sshd[23206]: Failed password for illegal user jordan from 72.21.36.122 port 57322 ssh2
> Apr 26 09:46:39 mail sshd[23208]: Failed password for illegal user michael from 72.21.36.122 port 57420 ssh2
> Apr 26 09:46:40 mail sshd[23210]: Failed password for illegal user nicole from 72.21.36.122 port 57453 ssh2
> Apr 26 09:46:41 mail sshd[23212]: Failed password for illegal user daniel from 72.21.36.122 port 57491 ssh2
> Apr 26 09:46:42 mail sshd[23214]: Failed password for illegal user andrew from 72.21.36.122 port 57521 ssh2
> Apr 26 09:46:44 mail sshd[23216]: Failed password for illegal user magic from 72.21.36.122 port 57563 ssh2
> Apr 26 09:46:45 mail sshd[23218]: Failed password for illegal user lion from 72.21.36.122 port 57598 ssh2
> Apr 26 09:46:46 mail sshd[23220]: Failed password for illegal user david from 72.21.36.122 port 57633 ssh2
> Apr 26 09:46:48 mail sshd[23222]: Failed password for illegal user jason from 72.21.36.122 port 57668 ssh2
> Apr 26 09:46:49 mail sshd[23224]: Failed password for illegal user carmen from 72.21.36.122 port 57706 ssh2
> Apr 26 09:46:50 mail sshd[23226]: Failed password for illegal user justin from 72.21.36.122 port 57740 ssh2
> Apr 26 09:46:52 mail sshd[23228]: Failed password for illegal user charlie from 72.21.36.122 port 57781 ssh2
> Apr 26 09:46:53 mail sshd[23230]: Failed password for illegal user steven from 72.21.36.122 port 57814 ssh2
> Apr 26 09:46:54 mail sshd[23232]: Failed password for illegal user brandon from 72.21.36.122 port 57841 ssh2
> Apr 26 09:46:56 mail sshd[23234]: Failed password for illegal user brian from 72.21.36.122 port 57880 ssh2
> Apr 26 09:46:57 mail sshd[23236]: Failed password for illegal user stephen from 72.21.36.122 port 57916 ssh2
> Apr 26 09:46:58 mail sshd[23238]: Failed password for illegal user william from 72.21.36.122 port 57950 ssh2
> Apr 26 09:47:00 mail sshd[23240]: Failed password for illegal user angel from 72.21.36.122 port 57986 ssh2
> Apr 26 09:47:01 mail sshd[23242]: Failed password for illegal user emily from 72.21.36.122 port 58021 ssh2
> Apr 26 09:47:03 mail sshd[23244]: Failed password for illegal user eric from 72.21.36.122 port 58062 ssh2
> Apr 26 09:47:04 mail sshd[23246]: Failed password for illegal user joe from 72.21.36.122 port 58093 ssh2
> Apr 26 09:47:05 mail sshd[23248]: Failed password for illegal user tom from 72.21.36.122 port 58126 ssh2
> Apr 26 09:47:07 mail sshd[23250]: Failed password for illegal user billy from 72.21.36.122 port 58157 ssh2
> Apr 26 09:47:08 mail sshd[23252]: Failed password for illegal user buddy from 72.21.36.122 port 58198 ssh2
> Apr 26 09:47:09 mail sshd[23254]: Failed password for illegal user jeremy from 72.21.36.122 port 58230 ssh2
> Apr 26 09:47:10 mail sshd[23256]: Failed password for illegal user vampire from 72.21.36.122 port 58264 ssh2
> Apr 26 09:47:12 mail sshd[23258]: Failed password for illegal user betty from 72.21.36.122 port 58298 ssh2
> Apr 26 09:47:13 mail sshd[23260]: Failed password for illegal user max from 72.21.36.122 port 58332 ssh2
> Apr 26 09:47:14 mail sshd[23262]: Failed password for illegal user nicholas from 72.21.36.122 port 58367 ssh2
> Apr 26 09:47:16 mail sshd[23264]: Failed password for illegal user robin from 72.21.36.122 port 58403 ssh2
> Apr 26 09:47:17 mail sshd[23266]: Failed password for illegal user johnny from 72.21.36.122 port 58433 ssh2
> Apr 26 09:47:18 mail sshd[23268]: Failed password for illegal user lucy from 72.21.36.122 port 58470 ssh2
> Apr 26 09:47:20 mail sshd[23270]: Failed password for illegal user maria from 72.21.36.122 port 58506 ssh2
> Apr 26 09:47:21 mail sshd[23272]: Failed password for illegal user rose from 72.21.36.122 port 58542 ssh2
> Apr 26 09:47:22 mail sshd[23274]: Failed password for mail from 72.21.36.122 port 58576 ssh2
> Apr 26 09:47:24 mail sshd[23276]: Failed password for illegal user god from 72.21.36.122 port 58613 ssh2
> Apr 26 09:47:25 mail sshd[23278]: Failed password for illegal user barbara from 72.21.36.122 port 58650 ssh2
> Apr 26 09:47:26 mail sshd[23280]: Failed password for illegal user larisa from 72.21.36.122 port 58683 ssh2
> Apr 26 09:47:28 mail sshd[23282]: Failed password for illegal user jane from 72.21.36.122 port 58723 ssh2
> Apr 26 09:47:29 mail sshd[23284]: Failed password for illegal user dog from 72.21.36.122 port 58752 ssh2
> Apr 26 09:47:30 mail sshd[23286]: Failed password for illegal user sparc from 72.21.36.122 port 58781 ssh2
> Apr 26 09:47:31 mail sshd[23288]: Failed password for illegal user credit from 72.21.36.122 port 58812 ssh2
> Apr 26 09:47:33 mail sshd[23290]: Failed password for illegal user info from 72.21.36.122 port 58843 ssh2
> Apr 26 09:47:34 mail sshd[23292]: Failed password for illegal user manager from 72.21.36.122 port 58871 ssh2
> Apr 26 09:47:35 mail sshd[23294]: Failed password for illegal user horse from 72.21.36.122 port 58897 ssh2
> Apr 26 09:47:36 mail sshd[23296]: Failed password for illegal user nokia from 72.21.36.122 port 58928 ssh2
> Apr 26 09:47:38 mail sshd[23298]: Failed password for illegal user tv from 72.21.36.122 port 58955 ssh2
> Apr 26 09:47:39 mail sshd[23300]: Failed password for illegal user connect from 72.21.36.122 port 58980 ssh2
> Apr 26 09:47:40 mail sshd[23302]: Failed password for illegal user fire from 72.21.36.122 port 59017 ssh2
> Apr 26 09:47:42 mail sshd[23304]: Failed password for illegal user local from 72.21.36.122 port 59046 ssh2
> Apr 26 09:47:43 mail sshd[23306]: Failed password for illegal user host from 72.21.36.122 port 59074 ssh2
> Apr 26 09:47:44 mail sshd[23308]: Failed password for illegal user billy from 72.21.36.122 port 59107 ssh2
> Apr 26 09:47:45 mail sshd[23310]: Failed password for illegal user yoyo from 72.21.36.122 port 59134 ssh2
> Apr 26 09:47:47 mail sshd[23312]: Failed password for illegal user victor from 72.21.36.122 port 59171 ssh2
> Apr 26 09:47:48 mail sshd[23314]: Failed password for illegal user fbi from 72.21.36.122 port 59201 ssh2
> Apr 26 09:47:49 mail sshd[23316]: Failed password for illegal user mark from 72.21.36.122 port 59235 ssh2
> Apr 26 09:47:51 mail sshd[23318]: Failed password for illegal user william from 72.21.36.122 port 59269 ssh2
> Apr 26 09:47:52 mail sshd[23321]: Failed password for illegal user patrick from 72.21.36.122 port 59302 ssh2
> 
> System Events
> =-=-=-=-=-=-=
> Apr 26 09:29:17 mail sshd[23145]: Did not receive identification string from 72.21.36.122
> Apr 26 09:46:36 mail sshd[23206]: Illegal user jordan from 72.21.36.122

<SNIP>

You get the idea.

I'm up to date on patches, I believe, especially for SSH. Some new hot thing
among script kiddies? Or have I just not noticed, since I haven't been
running logcheck until recently?

Attachment: signature.asc
Description: Digital signature

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug