Hello list.
Today I saw something strange in logs one of my servers. Part of the
/var/log/security:
Mar 12 15:01:03 server sshd[28505]: Invalid user abc from ::ffff:x.x.x.x
Mar 12 15:01:03 server sshd[28503]: Invalid user ab from ::ffff:x.x.x.x
Mar 12 15:01:03 server sshd[28507]: Invalid user abcd from ::ffff:x.x.x.x
Mar 12 15:01:03 server sshd[28509]: Invalid user abcde from ::ffff:x.x.x.x
Mar 12 15:01:03 server sshd[28511]: Invalid user abcdef from ::ffff:x.x.x.x
Mar 12 15:01:04 server sshd[28515]: Invalid user abcdefgh from ::ffff:x.x.x.x
Mar 12 15:01:04 server sshd[28513]: Invalid user abcdefg from ::ffff:x.x.x.x
"abcdefgh" is my username to the different machine in the other
domain, x.x.x.x it's my workstation. Yesterday, I loged into machine
where my login is "abcdefgh" from x.x.x.x. But not to the
"server".
Anybody has an idea?
Regards
--
_________________________________________________________________
D o m i n i k S k ? a d a n o w s k i
--- Dominik Sk??adanowski <dskladanowski at gmail.com> wrote:> Hello list. > > Today I saw something strange in logs one of my servers. Part of > the > /var/log/security: > > Mar 12 15:01:03 server sshd[28505]: Invalid user abc from > ::ffff:x.x.x.xLook in the archives as ssh is frequently discussed. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
On Mar 13, 2006, at 6:43 AM, Dominik Sk?adanowski wrote:> Hello list. > > Today I saw something strange in logs one of my servers. Part of the > /var/log/security: > > Mar 12 15:01:03 server sshd[28505]: Invalid user abc > from ::ffff:x.x.x.x > Mar 12 15:01:03 server sshd[28503]: Invalid user ab > from ::ffff:x.x.x.x > Mar 12 15:01:03 server sshd[28507]: Invalid user abcd > from ::ffff:x.x.x.x > Mar 12 15:01:03 server sshd[28509]: Invalid user abcde > from ::ffff:x.x.x.x > Mar 12 15:01:03 server sshd[28511]: Invalid user abcdef > from ::ffff:x.x.x.x > Mar 12 15:01:04 server sshd[28515]: Invalid user abcdefgh > from ::ffff:x.x.x.x > Mar 12 15:01:04 server sshd[28513]: Invalid user abcdefg > from ::ffff:x.x.x.x > > "abcdefgh" is my username to the different machine in the other > domain, x.x.x.x it's my workstation. Yesterday, I loged into machine > where my login is "abcdefgh" from x.x.x.x. But not to the "server". > > Anybody has an idea?looks like a dictionary attack to me; i get these all the time, sometimes with sufficient intensity that they crash my gateway router (boo!). these have been discussed recently on-list: 1) consider running sshd on a nonstandard port to dodge the bulk of this 2) consider using port knocking (i think i remember apf being one suggested package) 3) make sure you haven't enabled ssh login for any of the generic accountnames they use, and make sure your passwords are strong -steve --- If this were played upon a stage now, I could condemn it as an improbable fiction. - Fabian, Twelfth Night, III,v
On Monday 13 March 2006 12:43, Dominik Sk?adanowski wrote:> Hello list. > > Today I saw something strange in logs one of my servers. Part of the > /var/log/security: > > Mar 12 15:01:03 server sshd[28505]: Invalid user abc from ::ffff:x.x.x.x > Mar 12 15:01:03 server sshd[28503]: Invalid user ab from ::ffff:x.x.x.x > Mar 12 15:01:03 server sshd[28507]: Invalid user abcd from ::ffff:x.x.x.x > Mar 12 15:01:03 server sshd[28509]: Invalid user abcde from ::ffff:x.x.x.x > Mar 12 15:01:03 server sshd[28511]: Invalid user abcdef from ::ffff:x.x.x.x > Mar 12 15:01:04 server sshd[28515]: Invalid user abcdefgh from > ::ffff:x.x.x.x Mar 12 15:01:04 server sshd[28513]: Invalid user abcdefg > from ::ffff:x.x.x.x > > "abcdefgh" is my username to the different machine in the other > domain, x.x.x.x it's my workstation. Yesterday, I loged into machine > where my login is "abcdefgh" from x.x.x.x. But not to the "server".are you saying that you see failed logins to a server from you workstation with a username you use elsewhere? In that case (assuming that you're very certain you didn't do it by mistake) you may have a security problem. /Peter> > Anybody has an idea? > > Regards > -- > _________________________________________________________________ > D o m i n i k S k ? a d a n o w s k i-- ------------------------------------------------------------ Peter Kjellstr?m | National Supercomputer Centre | Sweden | http://www.nsc.liu.se -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 191 bytes Desc: not available URL: <http://lists.centos.org/pipermail/centos/attachments/20060313/13c45f1e/attachment.sig>