Illegal user ssh probes
From: Frank Hamersley (terabite_at_bigpond.com)
To: "Ssh List (E-mail)" <email@example.com> Date: Sat, 25 Sep 2004 17:39:50 +1000
On examining /var/log/secure for several firewalls I manage remotely using
ssh I have observed a recurrent pattern of probing over the last several
that attempts to connect using user id's in the following order...
test / guest / admin / admin / user / test
We are using SSH 2 RSA key ONLY authentication ie. password based login is
not accepted, and none of these user profiles exist on the host so I am not
However I am wondering if anyone has characterised the probe and/or
performed a risk assessment/analysis? The rate of probes is very low so I
don't think there is a DOS attack just yet!
Is it worth reporting the behaviour to the net block assignees in case they
aren't aware their server might be compromised?
Is anybody else seeing this?