RE: Illegal user ssh probes
mghofran_at_caregroup.harvard.edu
Date: 09/28/04
- Previous message: mike_at_genxweb.net: "Re: Illegal user ssh probes"
- Maybe in reply to: Frank Hamersley: "Illegal user ssh probes"
- Next in thread: Rob Hughes: "Re: Illegal user ssh probes"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: terabite@bigpond.com, secureshell@securityfocus.com Date: Tue, 28 Sep 2004 07:06:29 -0400
I have seen the same behavior & monitoring it closely. I actually reported
the incidents to various "net abuse" departments without any success.
PS. Does anyone know how to allow/deny certain range of ips short of
installing other softwares just the same way as /var/adm/inetd.sec works in
HP_UX ?
Matthew Ghofrani
Boston, MA
-----Original Message-----
From: Frank Hamersley [mailto:terabite@bigpond.com]
Sent: Saturday, September 25, 2004 3:40 AM
To: Ssh List (E-mail)
Subject: Illegal user ssh probes
On examining /var/log/secure for several firewalls I manage remotely using
ssh I have observed a recurrent pattern of probing over the last several
that attempts to connect using user id's in the following order...
test / guest / admin / admin / user / test
We are using SSH 2 RSA key ONLY authentication ie. password based login is
not accepted, and none of these user profiles exist on the host so I am not
too concerned.
However I am wondering if anyone has characterised the probe and/or
performed a risk assessment/analysis? The rate of probes is very low so I
don't think there is a DOS attack just yet!
Is it worth reporting the behaviour to the net block assignees in case they
aren't aware their server might be compromised?
Is anybody else seeing this?
Regards, Frank.
- Previous message: mike_at_genxweb.net: "Re: Illegal user ssh probes"
- Maybe in reply to: Frank Hamersley: "Illegal user ssh probes"
- Next in thread: Rob Hughes: "Re: Illegal user ssh probes"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
