Attempted SSH Logins

From: Nathaniel Hall (halln_at_otc.edu)
Date: 08/03/04

  • Next message: James Marcinek: "Fwd: MORE SSH Hacking: heads-up Re: SSH ATTEMPTS"
    To: <redhat-list@redhat.com>
    Date: Tue, 3 Aug 2004 11:22:50 -0500
    
    

    Hi all.

     

    I have been monitoring our logs over the past several weeks using logwatch
    and have noticed several of these entries (known entries omitted):

     

    sshd:

       Invalid Users:

          Unknown Account: 5 Time(s)

       Authentication Failures:

          test (server.bes1.com ): 2 Time(s)

          root (server.bes1.com ): 3 Time(s)

          unknown (server.bes1.com ): 4 Time(s)

     

    The source addresses vary. I always see the same accounts from different
    addresses with a different number of tries. When I see these, there is only
    one source, never a mix of sources. The next day, it might be a different
    source, but it is the only one.

     

    Is anybody else seeing this in their logs where I shouldn't be as worried or
    is this directed at us?

     

     

    ~~~~~~~~~~~~~~~~~~~~~~~~~~

    Nathaniel Hall

    Intrusion Detection and Firewall Technician

    Ozarks Technical Community College -- Office of Computer Networking

     

    halln@otc.edu

    417-799-0552

     

    -- 
    redhat-list mailing list
    unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
    https://www.redhat.com/mailman/listinfo/redhat-list
    

  • Next message: James Marcinek: "Fwd: MORE SSH Hacking: heads-up Re: SSH ATTEMPTS"

    Relevant Pages

    • Re: am I hacked?
      ... In the logs I found exactly the same results since one month ago. ... But get logwatch running right away. ... reported by rkhunter - wget. ... You can also also use RPM to check the same files. ...
      (Fedora)
    • Log Errors Re-Sent
      ... <Re-Sent again, Email server problems> ... I must say I am very impressed with FC2, ... I have two error msg's in my Logs (LogWatch) and cannot find any info in the ...
      (Fedora)
    • log errors
      ... I must say I am very impressed with FC2, ... I have two error msg's in my Logs (LogWatch) and cannot find any info in the ... Registered Linux user number 342953 ...
      (Fedora)
    • Re: Dictionary sshd attacks
      ... > tool could continue to monitor the logs for the attack and only ... > reactivate the port after X minutes after the attack ends. ... > are attempted using a dictionary of common usernames. ... > Never allow sshd root logins. ...
      (comp.os.linux.security)
    • logwatch question
      ... I am having a problem with logwatch. ... report what happens in the logs for the previous day. ... I rotate the cron log once a week. ...
      (RedHat)