[lug] Cracking attempts via SSH

Bill Thoen bthoen at gisnet.com
Thu Aug 19 11:45:36 MDT 2004


Back around July 26, I first started seeing unauthorized attempts to gain
access to my server via ssh. The pattern was to try accessing an account
named 'test', then 2 seconds later to try the account 'guest.' The
originating IPs were from Korea and China (of course) Italy, Russia, and
other european sources. Even one from the class B network I'm on.

Then starting Aug 9, a second pattern appeared. These attempts now look
like this (from /var/log/secure):

Aug 18 09:32:27 gisnet sshd[31737]: Illegal user test from 65.37.37.15
Aug 18 09:32:29 gisnet sshd[31739]: Illegal user guest from 65.37.37.15
Aug 18 09:32:31 gisnet sshd[31741]: Illegal user admin from 65.37.37.15
Aug 18 09:32:33 gisnet sshd[31743]: Illegal user admin from 65.37.37.15
Aug 18 09:32:36 gisnet sshd[31745]: Illegal user user from 65.37.37.15
Aug 18 09:32:46 gisnet sshd[31747]: Failed password for root from 
65.37.37.15 port 4496 ssh2
Aug 18 09:32:50 gisnet sshd[31749]: Failed password for root from 
65.37.37.15 port 4710 ssh2
Aug 18 09:32:55 gisnet sshd[31751]: Failed password for root from 
65.37.37.15 port 4809 ssh2
Aug 18 09:32:57 gisnet sshd[31753]: Illegal user test from 65.37.37.15

So what's going on? Are script kiddies trying out something new that I
should be concerned about? What bothers me is the three tries on 'root'.  
I think I've got a decent password, but I don't know much about cracking,
so I don't know what they're capable of.

Any recommendations as to what I ought to do, or is openssh 3.5p1-6 secure 
enough?

- Bill Thoen





More information about the LUG mailing list