Bug#314645: ssh password mappings result
Sure, but what do you plan to do with the data? Rather, how do you
plan to analyze it? It seems to me that this could be done without
knowing what passwords are tried.
The data lined up pretty well last night, when I discovered the first
ssh scan; I had to remove some blank lines from /etc/ssh-log (probably
from my own testing), remove my own password from the bottom (I was
scp'ing files from the machine), and remove some other cruft I had
left behind (from testing that password authentication is forced).
But it will probably not line up nearly as well once, for example,
auth.log gets rotated, or I log in from an uncommon machine which
doesn't have RSA access, and I mistype my password.
> > Justin
On Mon, Jun 20, 2005 at 10:15:18PM -0700, Greg Webster wrote:
> Hi Justin,
>
> Part of what I'd like to (dis)prove is that they are making a 'second
> run' from this or another machine to hit that accounts that it believes
> are valid...any chance you could keep your testing up for a while?
>
> On Mon, 2005-20-06 at 23:15 -0400, Justin Pryzby wrote:
> > Included is a list of usernames and corresponding passwords used in an
> > ssh scan I observed. It indicates to me that it is trying
> > statistically common (aka dumb) passwords on common usernames; I see
> > no evidence of an attempt to measure timings to discover valid
> > accounts.
> >
> > Starred accounts are invalid users.
Reply to: