Hi, Probably, what you have seen is a force brute attack against your sshd. Unfortunately, this kind of attack still works.
Regards, Cordeiro On Wednesday April 6 2005 12:49, Martin McCormick <Martin McCormick <[EMAIL PROTECTED]>> wrote: > We have been noticing flurries of sshd reject messages in > which some system out there in the hinterlands hits us with a flood of > ssh login attempts. An example: > > Apr 6 05:41:51 dc sshd[88763]: Did not receive identification > string from 67.19.58.170 > Apr 6 05:49:42 dc sshd[12389]: input_userauth_request: illegal > user anonymous > Apr 6 05:49:42 dc sshd[12389]: Failed password for illegal user > anonymous from 67.19.58.170 port 32942 ssh2 > Apr 6 05:49:42 dc sshd[12389]: Received disconnect from > 67.19.58.170: 11: Bye Bye > Apr 6 05:49:42 dc sshd[12406]: input_userauth_request: illegal > user bruce > Apr 6 05:49:42 dc sshd[12406]: Failed password for illegal user > bruce from 67.19.58.170 port 32983 ssh2 > Apr 6 05:49:42 dc sshd[12406]: Received disconnect from > 67.19.58.170: 11: Bye Bye > Apr 6 05:49:42 dc sshd[12422]: input_userauth_request: illegal > user chuck > > You get the idea. This goes on for 3 or 4 minutes and then > just stops for now. I can almost promise that later, another attack > will start from some other IP address and blaze away for a few > minutes. > > Other than spewing lots of entries in to syslog, what is the > purpose of the attack? Are they just hoping to luck in to an open > account? The odds of guessing the right account name and then guessing > the correct password are astronomical to say the least. > Direct root logins are not possible so there is another roadblock. > > This seems on the surface to be aimed at simply filling up the /var > file system, but it is so stupid as to make me wonder if there is > something else more sophisticated that we truly need to be trembling > in our shoes over. > > I notice from the syslog servers, here, that the same system > is hammering other sshd applications on those devices at the same time > it is hitting this system so what ever script it is is probably just > trolling our network, looking for anything that answers. > > Thanks for any useful information as to the nature of what > appears to be more of a nuisance than a diabolical threat to security. > > Martin McCormick WB5AGZ Stillwater, OK > OSU Information Technology Division Network Operations Group > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > > _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[EMAIL PROTECTED]"
