Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Modify Remote Login server to block scripted attacks' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Modify Remote Login server to block scripted attacks
Authored by: timrand on Feb 11, '05 09:58:07AM

I, too, had access attempts. There appears to be something to this. Pay attention folks!

Try this from your command line: grep sshd /var/log/system.log Review the lines for stuff like what shows up in my list below. I see attempts to access common accounts and dummy accounts such as "nobody". I have chosen to include the offending IP addresses so everyone is aware of potential sources of these attacks.

Jan 31 16:24:24 My_Machine sshd[2109]: Did not receive identification string from 66.15.145.131
Jan 31 16:28:38 My_Machine sshd[2110]: Illegal user jordan from 66.15.145.131
Jan 31 16:28:38 My_Machine sshd[2110]: reverse mapping checking getaddrinfo for
 bdsl.66.15.145.131.gte.net failed - POSSIBLE BREAKIN ATTEMPT!

Jan 31 16:30:15 My_Machine sshd[2218]: Illegal user pub from 66.15.145.131
Jan 31 16:30:15 My_Machine sshd[2218]: reverse mapping checking getaddrinfo for
 bdsl.66.15.145.131.gte.net failed - POSSIBLE BREAKIN ATTEMPT!
Feb  1 15:24:02 My_Machine sshd[2602]: Did not receive identification string from 210.100.255.3
Feb  1 15:33:27 My_Machine sshd[2603]: User nobody not allowed because shell /dev/null is not executable
Feb  1 15:33:29 My_Machine sshd[2605]: Illegal user patrick from 210.100.255.3
Feb  1 15:33:32 My_Machine sshd[2607]: Illegal user patrick from 210.100.255.3
Feb  1 15:33:34 My_Machine sshd[2609]: Failed password for root from 210.100.255.3 port 42075 ssh2
Feb  1 15:33:37 My_Machine sshd[2611]: Failed password for root from 210.100.255.3 port 43794 ssh2
Feb  1 15:33:48 My_Machine sshd[2620]: Illegal user rolo from 210.100.255.3
Feb  1 15:33:51 My_Machine sshd[2622]: Illegal user iceuser from 210.100.255.3
Feb  1 15:33:53 My_Machine sshd[2624]: Illegal user horde from 210.100.255.3
Feb  1 15:33:56 My_Machine sshd[2626]: Failed password for cyrus from 210.100.255.3 port 52386 ssh2
Feb  1 15:33:58 My_Machine sshd[2628]: User www not allowed because shell /dev/null is not executable
Feb  1 15:34:01 My_Machine sshd[2630]: Illegal user wwwrun from 210.100.255.3
Feb  1 15:34:03 My_Machine sshd[2632]: Illegal user matt from 210.100.255.3

Feb  1 15:36:51 My_Machine sshd[2768]: Illegal user webmaster from 210.100.255.3
Feb  1 15:36:54 My_Machine sshd[2770]: Illegal user data from 210.100.255.3
Feb  1 15:36:56 My_Machine sshd[2772]: Illegal user user from 210.100.255.3
Feb  1 15:36:59 My_Machine sshd[2774]: Illegal user user from 210.100.255.3
Feb  1 15:37:01 My_Machine sshd[2776]: Illegal user user from 210.100.255.3
Feb  1 15:37:03 My_Machine sshd[2778]: Illegal user web from 210.100.255.3
Feb  1 15:37:06 My_Machine sshd[2780]: Illegal user web from 210.100.255.3
Feb  1 15:37:08 My_Machine sshd[2782]: Illegal user oracle from 210.100.255.3
Feb  1 15:37:10 My_Machine sshd[2784]: Illegal user sybase from 210.100.255.3
Feb  1 15:37:12 My_Machine sshd[2786]: Illegal user master from 210.100.255.3
Feb  1 15:37:15 My_Machine sshd[2788]: Illegal user account from 210.100.255.3
Feb  1 15:37:22 My_Machine sshd[2794]: Illegal user adam from 210.100.255.3

Feb  1 15:37:31 My_Machine sshd[2802]: Illegal user henry from 210.100.255.3
Feb  1 15:37:33 My_Machine sshd[2804]: Illegal user john from 210.100.255.3
Feb  1 15:37:36 My_Machine sshd[2806]: Failed password for root from 210.100.255.3 port 60520 ssh2
Feb  1 15:37:46 My_Machine sshd[2814]: Failed password for root from 210.100.255.3 port 38468 ssh2
Feb  1 15:37:49 My_Machine sshd[2816]: Illegal user test from 210.100.255.3
Admin: Commented edited to narrow display; no content was changed

[ Reply to This | # ]
This is OLD NEWS
Authored by: daveschroeder on Feb 11, '05 01:17:01PM

There is nothing "to this". This is a super old SSH attack that has been going around for almost a year. It simply tries username/password pairs for common first names and common role accounts. You are NOT VULNERABLE to this attack if you have strong passwords set on your account(s).

Also, there are HUNDREDS of hosts that are probably running scripts like these, right now, and many more that have been compromised over time. So while interesting, knowing the source is not valuable on a general scale. They're just other compromised machines themselves (usually).

Now, yes, it's good to secure your machine as much as possible. But ordinary Mac OS X users who have ssh enabled with decent passwords will NOT be vulnerable to this attack. You might have dozens, hundreds, or even thousands of these log entries. We see this ALL THE TIME on all of our UNIX servers; it's nothing new and nothing to worry about if you have good password security.



[ Reply to This | # ]
Modify Remote Login server to block scripted attacks
Authored by: chko on Feb 11, '05 01:52:25PM
You can also use:

zgrep sshd /var/log/system.log.x.gz

Where x is a number (like 0, 1, 2, ...). This will allow you to see SSH activity on older rotated logs.

[ Reply to This | # ]