[TriLUG] Getting, um, probed?

Jeff Groves jgroves at krenim.org
Wed Aug 4 21:25:11 EDT 2004


Yeah, I saw two attempts on my server, but since I run a very restrictive /etc/hosts.allow 
and /hosts.deny combination they didn't get very far.

I wonder if someone's trying out their openssl vulnerability exploiter a la "US-CERT 
Technical Cyber Security Alert TA04-078A -- Multiple Vulnerabilities in OpenSSL".

Here are my log entries:

Aug  1 11:31:54 hoover sshd[24482]: refused connect from 
ANantes-106-2-2-226.w80-13.abo.wanadoo.fr
Aug  3 07:47:34 hoover sshd[26591]: refused connect from 209.67.60.46


Jeff G.

Brian Henning wrote:

> Hi Y'all,
>   I've been seeing a lot of the following in my logwatch lately:
> 
> input_userauth_request: illegal user test
> input_userauth_request: illegal user test
> Failed password for illegal user test from 210.205.6.157 port 51389 ssh2
> Failed password for illegal user test from 210.205.6.157 port 51470 ssh2
> Received disconnect from 210.205.6.157: 11: Bye Bye
> Received disconnect from 210.205.6.157: 11: Bye Bye
> 
> The source IP will differ from day to day, so I can't just block that
> particular IP at the firewall..  Anyone else getting a lot of this sort of
> breakin-attempt lately?  Should I be concerned?
> 
> Cheers,
> ~Brian
> 



More information about the TriLUG mailing list