[clug] SSH attack

Steve Jenkin sjenkin at canb.auug.org.au
Mon Jul 25 13:51:22 GMT 2005

Tonight I noticed lots of inbound network activity to an unused host: I
mapped SSH through the firewall to it.

First event in log:
Jun 30 22:58:42 cdr sshd[3536]: Illegal user test from
Jun 30 22:58:45 cdr sshd[3536]: Failed password for illegal user test
from port 60518 ssh2

Could this explain the compromise someone on the list saw recently.

I've created two lists from the attempts I've seen in /var/log/secure,
URL's below.  Hope this is helpful to some of you out there.  The first
number in the file is the count.

BTW: I've read the man page for 'sshd_config', and it seems pretty
sketchy to me on how to limit connections to sshd.  All I found was:
=> AllowUsers USER at HOST 

Doesn't seem to understand limiting to subnets or denying from address
ranges, say like Apache...  Did I get this right?


Steve Jenkin, Unix Sys Admin
0412 786 915 (+61 412 786 915)
PO Box 48, Kippax ACT 2615, AUSTRALIA

mailto:sjenkin at canb.auug.org.au http://www.tip.net.au/~sjenkin

More information about the linux mailing list