On Monday 20,August,2012 11:33 PM, Mika Suomalainen wrote: > On 20.08.2012 18:15, lina wrote: >> BTW, what is the 172.21.48.161, seems in the old auth.log* also has >> this one. > >> # zmore auth.log.2.gz | grep 172.21.48.161 Aug 5 16:05:13 Debian >> sshd[15369]: Did not receive identification string from >> 172.21.48.161 Aug 5 16:05:36 Debian sshd[15370]: Invalid user >> administrator from 172.21.48.161 Aug 5 16:05:36 Debian >> sshd[15370]: pam_unix(sshd:auth): authentication failure; logname= >> uid=0 euid=0 tty=ssh ruser= rhost=172.21.48.161 Aug 5 16:05:38 >> Debian sshd[15370]: Failed password for invalid user administrator >> from 172.21.48.161 port 54999 ssh2 > <...> > > For me it looks like a bot, which is trying to guess usernames and > passwords to your system. > If you had sshguard or something similar installed, you would also see > message about that host being banned, because of failed authentications.
I have just installed the sshguard, I checked the time of the attempt connection from this ip, it's quite regular. more like some program doing those things. Aug 13 16:07:31 Aug 13 16:07:52 Aug 13 16:07:52 Aug 13 16:07:54 Aug 13 16:08:07 Aug 14 16:08:16 Aug 14 16:08:42 Aug 14 16:08:42 Aug 14 16:08:45 Aug 14 16:08:46 Aug 16 16:08:29 Aug 16 16:08:53 Aug 16 16:08:53 Aug 16 16:08:55 Aug 16 16:08:56 Aug 5 16:05:13 Aug 5 16:05:36 Aug 5 16:05:36 Aug 5 16:05:38 Aug 5 16:05:40 Aug 6 04:04:45 Aug 6 04:05:09 Aug 6 04:05:09 Aug 6 04:05:10 Aug 6 04:05:11 Aug 6 16:06:08 Aug 6 16:06:29 Aug 6 16:06:29 Aug 6 16:06:31 Aug 6 16:06:32 Aug 7 04:04:44 Aug 7 04:05:07 Aug 7 04:05:07 Aug 7 04:05:09 Aug 7 04:05:23 Jul 29 16:07:53 Jul 29 16:08:14 Jul 29 16:08:14 Jul 29 16:08:15 Jul 29 16:08:22 Aug 2 16:07:50 Aug 2 16:08:11 Aug 2 16:08:11 Aug 2 16:08:13 Aug 2 16:08:18 Aug 4 16:05:38 Aug 4 16:05:58 Aug 4 16:05:59 Aug 4 16:06:01 Aug 4 16:06:02 Aug 5 04:04:42 Aug 5 04:05:05 Aug 5 04:05:05 Aug 5 04:05:07 Aug 5 04:05:08 Jul 27 16:10:23 Jul 27 16:10:43 Jul 27 16:10:43 Jul 27 16:10:45 Jul 27 16:10:48 Jul 28 16:08:09 Jul 28 16:08:29 Jul 28 16:08:30 Jul 28 16:08:31 Jul 28 16:08:32 Jul 29 04:06:20 Jul 29 04:06:43 Jul 29 04:06:43 Jul 29 04:06:46 Jul 29 04:06:47 Thanks again, > >> Thanks again, > > You're welcome :) > > -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/50325992.1060...@gmail.com
