[TriLUG] Getting, um, probed?

Mike Johnson mike at enoch.org
Wed Aug 4 22:29:09 EDT 2004


Brian Henning [lugmail at cheetah.dynip.com] wrote:
> Hi Y'all,
>   I've been seeing a lot of the following in my logwatch lately:
> 
> input_userauth_request: illegal user test
> input_userauth_request: illegal user test
> Failed password for illegal user test from 210.205.6.157 port 51389 ssh2
> Failed password for illegal user test from 210.205.6.157 port 51470 ssh2
> Received disconnect from 210.205.6.157: 11: Bye Bye
> Received disconnect from 210.205.6.157: 11: Bye Bye

Read this thread:
http://seclists.org/lists/incidents/2004/Jul/0065.html

> The source IP will differ from day to day, so I can't just block that
> particular IP at the firewall..  Anyone else getting a lot of this sort of
> breakin-attempt lately?  Should I be concerned?

As long as your ssh is nice and patched and you don't have the test or
guest accounts, you're set.

Mike
-- 
"Spare me your space-age technobabble Atilla The Hun!" --  Zapp Brannigan

GNUPG Key fingerprint = ACD2 2F2F C151 FB35 B3AF  C821 89C4 DF9A 5DDD 95D1
GNUPG Key = http://www.enoch.org/mike/mike.pubkey.asc




More information about the TriLUG mailing list