[lug] Cracking attempts via SSH

[D. Stimits]

Bill Thoen wrote:
> Back around July 26, I first started seeing unauthorized attempts to gain
> access to my server via ssh. The pattern was to try accessing an account
> named 'test', then 2 seconds later to try the account 'guest.' The
> originating IPs were from Korea and China (of course) Italy, Russia, and
> other european sources. Even one from the class B network I'm on.
> 
> Then starting Aug 9, a second pattern appeared. These attempts now look
> like this (from /var/log/secure):

I have my system firewalled and logged against ssh, so they don't get as 
far as it shows on yours (they never reach a login prompt), but I have 
had increased ssh probes since roughly the same time you reported.

FYI, ssh exploits have in the past been one of the favorites of script 
kiddies. Make darn sure you have an updated version of ssh if there are 
any relative to your current version. It seems they have been failing on 
your system and dumb scans are just trying over and over like Bart 
Simpson trying to get in a cookie jar, but as soon as a flaw in sshd is 
discovered, you can bet the cracked machines will be updated to search 
for the newer flawed version.

D. Stimits, stimits AT comcast DOT net