Illegal user ssh probes

From: Frank Hamersley (terabite_at_bigpond.com)
Date: 09/25/04

  • Next message: Victor Danilchenko: "Re: OpenSSH -- a way to block recurrent login failures?"
    To: "Ssh List (E-mail)" <secureshell@securityfocus.com>
    Date: Sat, 25 Sep 2004 17:39:50 +1000
    
    

    On examining /var/log/secure for several firewalls I manage remotely using
    ssh I have observed a recurrent pattern of probing over the last several
    that attempts to connect using user id's in the following order...

    test / guest / admin / admin / user / test

    We are using SSH 2 RSA key ONLY authentication ie. password based login is
    not accepted, and none of these user profiles exist on the host so I am not
    too concerned.

    However I am wondering if anyone has characterised the probe and/or
    performed a risk assessment/analysis? The rate of probes is very low so I
    don't think there is a DOS attack just yet!

    Is it worth reporting the behaviour to the net block assignees in case they
    aren't aware their server might be compromised?

    Is anybody else seeing this?

    Regards, Frank.


  • Next message: Victor Danilchenko: "Re: OpenSSH -- a way to block recurrent login failures?"