RE: Illegal user ssh probes
To: email@example.com, firstname.lastname@example.org Date: Tue, 28 Sep 2004 07:06:29 -0400
I have seen the same behavior & monitoring it closely. I actually reported
the incidents to various "net abuse" departments without any success.
PS. Does anyone know how to allow/deny certain range of ips short of
installing other softwares just the same way as /var/adm/inetd.sec works in
From: Frank Hamersley [mailto:email@example.com]
Sent: Saturday, September 25, 2004 3:40 AM
To: Ssh List (E-mail)
Subject: Illegal user ssh probes
On examining /var/log/secure for several firewalls I manage remotely using
ssh I have observed a recurrent pattern of probing over the last several
that attempts to connect using user id's in the following order...
test / guest / admin / admin / user / test
We are using SSH 2 RSA key ONLY authentication ie. password based login is
not accepted, and none of these user profiles exist on the host so I am not
However I am wondering if anyone has characterised the probe and/or
performed a risk assessment/analysis? The rate of probes is very low so I
don't think there is a DOS attack just yet!
Is it worth reporting the behaviour to the net block assignees in case they
aren't aware their server might be compromised?
Is anybody else seeing this?