Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'I had the same sshd attack 8th of February! Thanks' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
I had the same sshd attack 8th of February! Thanks
Authored by: mathieubill on Feb 11, '05 05:11:00AM
Hello,
Your post helped me very much:
First, after reading your post, I browsed my system logs too and I was very surprised to discover that I had the same type of attacks as yours and in the same period (8th of February):

Feb  8 19:41:23 sshd[1535]: Illegal user test from 218.153.147.92
Feb  8 19:41:28 sshd[1538]: Illegal user guest from 218.153.147.92
Feb  8 19:41:33 sshd[1540]: Illegal user admin from 218.153.147.92
Feb  8 19:41:43 sshd[1545]: Illegal user user from 218.153.147.92
Feb  8 19:41:50 sshd[1547]: Failed password for root from 218.153.147.92 port 57640 ssh2
etc.
Then with your advice and the AllowUsers command, I secured my sshd as much as I could.
So your advice arrived just in time!
Thanks once again.

[ Reply to This | # ]
Just in time? For what?
Authored by: daveschroeder on Feb 11, '05 01:20:21PM

This is a **very old** SSH attack. This has been going on for almost a year, and we see it on every machine we administer that has SSH enabled. All it does is try common username/password pairs for names and role accounts. If you have good password security, there is nothing to worry about. Is more security ever bad? Absolutely not; by all means, secure your machine as much as practical. But this is not some kind of "new" attack, and would not compromise any OS X machine in its default configuration with ssh enabled if accounts have reasonable passwords, i.e., not test/test, firstname/firstname, etc. That's all this script does.



[ Reply to This | # ]