Illegal user ssh probesSep 25 2004 07:39AM Frank Hamersley (terabite bigpond com) (2 replies)
On examining /var/log/secure for several firewalls I manage remotely using
ssh I have observed a recurrent pattern of probing over the last several
that attempts to connect using user id's in the following order...
test / guest / admin / admin / user / test
We are using SSH 2 RSA key ONLY authentication ie. password based login is
not accepted, and none of these user profiles exist on the host so I am not
too concerned.
However I am wondering if anyone has characterised the probe and/or
performed a risk assessment/analysis? The rate of probes is very low so I
don't think there is a DOS attack just yet!
Is it worth reporting the behaviour to the net block assignees in case they
aren't aware their server might be compromised?
ssh I have observed a recurrent pattern of probing over the last several
that attempts to connect using user id's in the following order...
test / guest / admin / admin / user / test
We are using SSH 2 RSA key ONLY authentication ie. password based login is
not accepted, and none of these user profiles exist on the host so I am not
too concerned.
However I am wondering if anyone has characterised the probe and/or
performed a risk assessment/analysis? The rate of probes is very low so I
don't think there is a DOS attack just yet!
Is it worth reporting the behaviour to the net block assignees in case they
aren't aware their server might be compromised?
Is anybody else seeing this?
Regards, Frank.
[ reply ]