RE: Illegal user ssh probes

mghofran_at_caregroup.harvard.edu
Date: 09/28/04

  • Next message: Rob Hughes: "Re: Illegal user ssh probes"
    To: terabite@bigpond.com, secureshell@securityfocus.com
    Date: Tue, 28 Sep 2004 07:06:29 -0400
    
    

    I have seen the same behavior & monitoring it closely. I actually reported
    the incidents to various "net abuse" departments without any success.

    PS. Does anyone know how to allow/deny certain range of ips short of
    installing other softwares just the same way as /var/adm/inetd.sec works in
    HP_UX ?

    Matthew Ghofrani
    Boston, MA

    -----Original Message-----
    From: Frank Hamersley [mailto:terabite@bigpond.com]
    Sent: Saturday, September 25, 2004 3:40 AM
    To: Ssh List (E-mail)
    Subject: Illegal user ssh probes

    On examining /var/log/secure for several firewalls I manage remotely using
    ssh I have observed a recurrent pattern of probing over the last several
    that attempts to connect using user id's in the following order...

    test / guest / admin / admin / user / test

    We are using SSH 2 RSA key ONLY authentication ie. password based login is
    not accepted, and none of these user profiles exist on the host so I am not
    too concerned.

    However I am wondering if anyone has characterised the probe and/or
    performed a risk assessment/analysis? The rate of probes is very low so I
    don't think there is a DOS attack just yet!

    Is it worth reporting the behaviour to the net block assignees in case they
    aren't aware their server might be compromised?

    Is anybody else seeing this?

    Regards, Frank.


  • Next message: Rob Hughes: "Re: Illegal user ssh probes"

    Relevant Pages

    • Bumping up a default net.graph.maxdata to avoid "Write failed: Cannot allocate memory"
      ... Syncing zfs snapshots across the net using 'zfs send' over ssh started ... failing one day with ssh reporting "Write failed: Cannot allocate memory" ... on the receiving side after transferring about 20 GB. ...
      (freebsd-net)
    • Re: Reporting SSH abuse
      ... I've been getting a slew of SSH brute forces coming from a university ... Normally I wouldn't even bother with reporting, ... You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. ...
      (Security-Basics)
    • Re: Reporting SSH abuse
      ... Dan Pilcheck wrote: ... I've been getting a slew of SSH brute forces coming from a university ... Normally I wouldn't even bother with reporting, ... network, I'd like a notification. ...
      (Security-Basics)
    • RE: Reporting brute force ssh login attempts
      ... With it I have ssh access disabled and when I need to get it - I send special packet ... Reporting brute force ssh login attempts ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ...
      (Debian-User)
    • RE: Reporting brute force ssh login attempts
      ... With it I have ssh access disabled and when I need to get it - I send special packet ... Reporting brute force ssh login attempts ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ...
      (Debian-User)