[TriLUG] Failed logins
scottchilcote at earthlink.net
Fri Sep 2 10:20:16 EDT 2005
Lisa Boyd wrote:
> I've been checking my Logwatch files and have noticed some failed
> logins for root listed under sshd. I assume someone is trying to break
> into my server, but is this something to seriously worry about?
> Considering my root password is not a dictionary word ;)
> Lisa B.
I had several attempts on my Earthlink DSL static IP, starting at close
to midnight last night too. All of them are supposedly from
188.8.131.52. All were failed attempts on the root account.
Looks like ten attempts at 23:57, ten more at 00:45, again at 1:31, then
2:18, 3:04, 3:52, 4:41, 5:28, and 6:13 was the most recent. Looks like
it stopped at that point.
I have "PermitRootLogin no" in my /etc/ssh/sshd_config file, so there
doesn't seem to be much to worry about.
Usually I have 2-3 attempts per week that look like the same script.
That one tries the root account first for several passwords, then tries
guest, then tries without a username. The ones this morning don't
follow the same pattern.
More information about the TriLUG