[svlug] SSH attempts at hacking
John Conover
conover at rahul.net
Fri Aug 20 11:45:11 PDT 2004
James Sparenberg writes:
>
> How many of you are seeing things like this.
>
> Aug 16 18:38:35 jamlin sshd[8940]: Illegal user admin from
> 210.177.241.201
> Aug 16 04:46:32 jamlin sshd[4163]: Failed password for illegal user
> admin from 168.16.147.50 port 3848 ssh2
> Aug 16 04:46:30 jamlin sshd[4163]: Illegal user admin from 168.16.147.50
> Aug 16 04:46:29 jamlin sshd[4161]: Failed password for illegal user
> admin from 168.16.147.50 port 3646 ssh2
> Aug 16 04:46:26 jamlin sshd[4161]: Illegal user admin from 168.16.147.50
>
>
> Not only user admin but root etc etc etc. Seems that Linux is hitting
> the high road of probe attempts of late as for my box at least (and
> others I've talked to as well.) Brute force attempts at hacking ssh are
> growing.
>
> My question is ... what if anything are any of you doing to slow this
> down or block it all together? I know that on this box root is not
> allowed to directly log in (you have to go in as a user and su) My other
> question is ... should I just stop allowing password login altogether?
> (RSA Key only allowed. Which is what I use most of the time but
> occasionally I'm on a box that doesn't have my keys. I'm willing to go
> the hassle if its a smart move.)
>
Quite a few have seen it-its been discussed in the BugTraq and
Incidents mailing lists at securityfocus. Most seem to be coming from
infected RH servers. Consensus is that it is trying to exploit an old
vulnerability by trying to log in as admin with a null password.
John
--
John Conover, conover at rahul.net, http://www.johncon.com/
More information about the svlug
mailing list