James Kelly on 26 Apr 2005 14:37:51 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Increase in SSH break-in attempts? 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It's likely one of the ssh worm variants.  All the more reason for
strict password controls.

Chris wrote:
| I always thought this was rather common. When I check our logs I see 30 or
| 40 attempts within a minute trying random usernames about once or twice a
| day. So far I have chalked it up to script kiddies or some other vein
| attempt to find an easy way inside. I was surprised to learn our webhost
| (Verio) just recently is disabling remote root login over SSH.
Thankfully we
| already standardized disabling our root logins but I would hate to
think of
| all those people who didn't AND have easily cracked usernames/passwords.
|
|
| Chris.
|
| -----Original Message-----
| From: plug-bounces@lists.phillylinux.org
| [mailto:plug-bounces@lists.phillylinux.org] On Behalf Of Mike Leone
| Sent: Tuesday, April 26, 2005 10:11 AM
| To: PLUG ML
| Subject: [PLUG] Increase in SSH break-in attempts?
|
| Anybody else noticing an increase lately, in the number of break-in
attempts
| via SSH? I'm seeing more and more things like this, over the last few
weeks:
|
|
| ----- Forwarded message from logcheck@localhost -----
|
|
|>Date: Tue, 26 Apr 2005 10:02:16 -0400 (EDT)
|>From: logcheck@localhost
|>To: root@localhost
|>Subject: mail 2005-04-26 10:02 Security Events
|>
|>This email is sent by logcheck. If you wish to no-longer receive it,
|>you can either deinstall the logcheck package or modify its
|>configuration file (/etc/logcheck/logcheck.conf).
|>
|>Security Events
|>=-=-=-=-=-=-=-=
|>Apr 26 09:16:41 mail sshd[23067]: (pam_securetty) access denied: tty 'ssh'
|
| is not secure !
|
|>Apr 26 09:46:37 mail sshd[23206]: Failed password for illegal user jordan
|
| from 72.21.36.122 port 57322 ssh2
|
|>Apr 26 09:46:39 mail sshd[23208]: Failed password for illegal user michael
|
| from 72.21.36.122 port 57420 ssh2
|
|>Apr 26 09:46:40 mail sshd[23210]: Failed password for illegal user nicole
|
| from 72.21.36.122 port 57453 ssh2
|
|>Apr 26 09:46:41 mail sshd[23212]: Failed password for illegal user daniel
|
| from 72.21.36.122 port 57491 ssh2
|
|>Apr 26 09:46:42 mail sshd[23214]: Failed password for illegal user andrew
|
| from 72.21.36.122 port 57521 ssh2
|
|>Apr 26 09:46:44 mail sshd[23216]: Failed password for illegal user magic
|
| from 72.21.36.122 port 57563 ssh2
|
|>Apr 26 09:46:45 mail sshd[23218]: Failed password for illegal user lion
|
| from 72.21.36.122 port 57598 ssh2
|
|>Apr 26 09:46:46 mail sshd[23220]: Failed password for illegal user david
|
| from 72.21.36.122 port 57633 ssh2
|
|>Apr 26 09:46:48 mail sshd[23222]: Failed password for illegal user jason
|
| from 72.21.36.122 port 57668 ssh2
|
|>Apr 26 09:46:49 mail sshd[23224]: Failed password for illegal user carmen
|
| from 72.21.36.122 port 57706 ssh2
|
|>Apr 26 09:46:50 mail sshd[23226]: Failed password for illegal user justin
|
| from 72.21.36.122 port 57740 ssh2
|
|>Apr 26 09:46:52 mail sshd[23228]: Failed password for illegal user charlie
|
| from 72.21.36.122 port 57781 ssh2
|
|>Apr 26 09:46:53 mail sshd[23230]: Failed password for illegal user steven
|
| from 72.21.36.122 port 57814 ssh2
|
|>Apr 26 09:46:54 mail sshd[23232]: Failed password for illegal user brandon
|
| from 72.21.36.122 port 57841 ssh2
|
|>Apr 26 09:46:56 mail sshd[23234]: Failed password for illegal user brian
|
| from 72.21.36.122 port 57880 ssh2
|
|>Apr 26 09:46:57 mail sshd[23236]: Failed password for illegal user stephen
|
| from 72.21.36.122 port 57916 ssh2
|
|>Apr 26 09:46:58 mail sshd[23238]: Failed password for illegal user william
|
| from 72.21.36.122 port 57950 ssh2
|
|>Apr 26 09:47:00 mail sshd[23240]: Failed password for illegal user angel
|
| from 72.21.36.122 port 57986 ssh2
|
|>Apr 26 09:47:01 mail sshd[23242]: Failed password for illegal user emily
|
| from 72.21.36.122 port 58021 ssh2
|
|>Apr 26 09:47:03 mail sshd[23244]: Failed password for illegal user eric
|
| from 72.21.36.122 port 58062 ssh2
|
|>Apr 26 09:47:04 mail sshd[23246]: Failed password for illegal user joe
|
| from 72.21.36.122 port 58093 ssh2
|
|>Apr 26 09:47:05 mail sshd[23248]: Failed password for illegal user tom
|
| from 72.21.36.122 port 58126 ssh2
|
|>Apr 26 09:47:07 mail sshd[23250]: Failed password for illegal user billy
|
| from 72.21.36.122 port 58157 ssh2
|
|>Apr 26 09:47:08 mail sshd[23252]: Failed password for illegal user buddy
|
| from 72.21.36.122 port 58198 ssh2
|
|>Apr 26 09:47:09 mail sshd[23254]: Failed password for illegal user jeremy
|
| from 72.21.36.122 port 58230 ssh2
|
|>Apr 26 09:47:10 mail sshd[23256]: Failed password for illegal user vampire
|
| from 72.21.36.122 port 58264 ssh2
|
|>Apr 26 09:47:12 mail sshd[23258]: Failed password for illegal user betty
|
| from 72.21.36.122 port 58298 ssh2
|
|>Apr 26 09:47:13 mail sshd[23260]: Failed password for illegal user max
|
| from 72.21.36.122 port 58332 ssh2
|
|>Apr 26 09:47:14 mail sshd[23262]: Failed password for illegal user
|
| nicholas from 72.21.36.122 port 58367 ssh2
|
|>Apr 26 09:47:16 mail sshd[23264]: Failed password for illegal user robin
|
| from 72.21.36.122 port 58403 ssh2
|
|>Apr 26 09:47:17 mail sshd[23266]: Failed password for illegal user johnny
|
| from 72.21.36.122 port 58433 ssh2
|
|>Apr 26 09:47:18 mail sshd[23268]: Failed password for illegal user lucy
|
| from 72.21.36.122 port 58470 ssh2
|
|>Apr 26 09:47:20 mail sshd[23270]: Failed password for illegal user maria
|
| from 72.21.36.122 port 58506 ssh2
|
|>Apr 26 09:47:21 mail sshd[23272]: Failed password for illegal user rose
|
| from 72.21.36.122 port 58542 ssh2
|
|>Apr 26 09:47:22 mail sshd[23274]: Failed password for mail from
|
| 72.21.36.122 port 58576 ssh2
|
|>Apr 26 09:47:24 mail sshd[23276]: Failed password for illegal user god
|
| from 72.21.36.122 port 58613 ssh2
|
|>Apr 26 09:47:25 mail sshd[23278]: Failed password for illegal user barbara
|
| from 72.21.36.122 port 58650 ssh2
|
|>Apr 26 09:47:26 mail sshd[23280]: Failed password for illegal user larisa
|
| from 72.21.36.122 port 58683 ssh2
|
|>Apr 26 09:47:28 mail sshd[23282]: Failed password for illegal user jane
|
| from 72.21.36.122 port 58723 ssh2
|
|>Apr 26 09:47:29 mail sshd[23284]: Failed password for illegal user dog
|
| from 72.21.36.122 port 58752 ssh2
|
|>Apr 26 09:47:30 mail sshd[23286]: Failed password for illegal user sparc
|
| from 72.21.36.122 port 58781 ssh2
|
|>Apr 26 09:47:31 mail sshd[23288]: Failed password for illegal user credit
|
| from 72.21.36.122 port 58812 ssh2
|
|>Apr 26 09:47:33 mail sshd[23290]: Failed password for illegal user info
|
| from 72.21.36.122 port 58843 ssh2
|
|>Apr 26 09:47:34 mail sshd[23292]: Failed password for illegal user manager
|
| from 72.21.36.122 port 58871 ssh2
|
|>Apr 26 09:47:35 mail sshd[23294]: Failed password for illegal user horse
|
| from 72.21.36.122 port 58897 ssh2
|
|>Apr 26 09:47:36 mail sshd[23296]: Failed password for illegal user nokia
|
| from 72.21.36.122 port 58928 ssh2
|
|>Apr 26 09:47:38 mail sshd[23298]: Failed password for illegal user tv from
|
| 72.21.36.122 port 58955 ssh2
|
|>Apr 26 09:47:39 mail sshd[23300]: Failed password for illegal user connect
|
| from 72.21.36.122 port 58980 ssh2
|
|>Apr 26 09:47:40 mail sshd[23302]: Failed password for illegal user fire
|
| from 72.21.36.122 port 59017 ssh2
|
|>Apr 26 09:47:42 mail sshd[23304]: Failed password for illegal user local
|
| from 72.21.36.122 port 59046 ssh2
|
|>Apr 26 09:47:43 mail sshd[23306]: Failed password for illegal user host
|
| from 72.21.36.122 port 59074 ssh2
|
|>Apr 26 09:47:44 mail sshd[23308]: Failed password for illegal user billy
|
| from 72.21.36.122 port 59107 ssh2
|
|>Apr 26 09:47:45 mail sshd[23310]: Failed password for illegal user yoyo
|
| from 72.21.36.122 port 59134 ssh2
|
|>Apr 26 09:47:47 mail sshd[23312]: Failed password for illegal user victor
|
| from 72.21.36.122 port 59171 ssh2
|
|>Apr 26 09:47:48 mail sshd[23314]: Failed password for illegal user fbi
|
| from 72.21.36.122 port 59201 ssh2
|
|>Apr 26 09:47:49 mail sshd[23316]: Failed password for illegal user mark
|
| from 72.21.36.122 port 59235 ssh2
|
|>Apr 26 09:47:51 mail sshd[23318]: Failed password for illegal user william
|
| from 72.21.36.122 port 59269 ssh2
|
|>Apr 26 09:47:52 mail sshd[23321]: Failed password for illegal user patrick
|
| from 72.21.36.122 port 59302 ssh2
|
|>System Events
|>=-=-=-=-=-=-=
|>Apr 26 09:29:17 mail sshd[23145]: Did not receive identification string
|
| from 72.21.36.122
|
|>Apr 26 09:46:36 mail sshd[23206]: Illegal user jordan from 72.21.36.122
|
|
| <SNIP>
|
| You get the idea.
|
| I'm up to date on patches, I believe, especially for SSH. Some new hot
thing
| among script kiddies? Or have I just not noticed, since I haven't been
| running logcheck until recently?
|
|
|
___________________________________________________________________________
| Philadelphia Linux Users Group         --
http://www.phillylinux.org
| Announcements -
http://lists.phillylinux.org/mailman/listinfo/plug-announce
| General Discussion  --
http://lists.phillylinux.org/mailman/listinfo/plug
|
|
|

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFCblI33IzKSZsd6+oRAu4CAJ4tzTj9bMcl6Dl9hnx7ygkiEOriUgCeLc7p
HThFPCbjgGgPaSs0R/PoeTI=
=ZYnQ
-----END PGP SIGNATURE-----
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug