[TriLUG] Getting, um, probed?

[erik at underhanded.org]

On Wed, Aug 04, 2004 at 08:21:10PM -0400, Brian Henning wrote:
> Hi Y'all,
>   I've been seeing a lot of the following in my logwatch lately:
> 
> input_userauth_request: illegal user test
> input_userauth_request: illegal user test
> Failed password for illegal user test from 210.205.6.157 port 51389 ssh2
> Failed password for illegal user test from 210.205.6.157 port 51470 ssh2
> Received disconnect from 210.205.6.157: 11: Bye Bye
> Received disconnect from 210.205.6.157: 11: Bye Bye
> 
> The source IP will differ from day to day, so I can't just block that
> particular IP at the firewall..  Anyone else getting a lot of this sort of
> breakin-attempt lately?  Should I be concerned?

Yeah, I see these every few days:

./auth.log:Aug  2 10:59:55 azbox sshd[24402]: Illegal user test from 211.45.200.159
./auth.log:Aug  2 10:59:56 azbox sshd[24410]: Illegal user guest from 211.45.200.159
./auth.log:Aug  2 20:24:17 azbox sshd[26183]: Illegal user test from 69.44.60.8
./auth.log:Aug  2 20:24:18 azbox sshd[26186]: Illegal user guest from 69.44.60.8
./auth.log:Aug  4 01:04:34 azbox sshd[32342]: Illegal user guest from 207.41.64.26
./auth.log:Aug  4 01:04:35 azbox sshd[32353]: Illegal user user from 207.41.64.26
./auth.log:Aug  4 01:04:37 azbox sshd[32370]: Illegal user test from 207.41.64.26

They are apparently scanning whole blocks, as I see them hitting IPs
sequentially right in a row.  Morons.

You could enable tcpwrappers and use /etc/hosts to blcok off all otehr
IPs then your own from ssh if you don't haev too many shell users.  You
can also just move the ssh port to a non-standard port.  Or if really
paranoid, implement a form of port-knocking to enable ssh after jumping
through some hoops for your host.

Or, just don't worry about it unless you see them aggressively brute
forcing your server.  And of course fire off an abuse report to their
netadmin (whois on their IP should get you the netblock contact) if you
feel like it. ;)