[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Why do SSH cracking attempts start with "Did not receive identification string"?

My logs from SSH cracking attempts often start like this.

Sep  2 00:01:09 foo sshd[6988]: Did not receive identification string from 1.2.3.4
Sep  2 00:05:30 foo sshd[7832]: Failed password for illegal user root from 1.2.3.4 port 45069 ssh2
Sep  2 00:05:31 foo sshd[7834]: Failed password for illegal user fluffy from 1.2.3.4 port 45552 ssh2
Sep  2 00:05:32 foo sshd[7836]: Failed password for illegal user admin from 1.2.3.4 port 45614 ssh2
Sep  2 00:05:34 foo sshd[7838]: Failed password for illegal user test from 1.2.3.4 port 45631 ssh2
Sep  2 00:05:35 foo sshd[7840]: Failed password for illegal user guest from 1.2.3.4 port 46340 ssh2
Sep  2 00:05:36 foo sshd[7842]: Failed password for illegal user webmaster from 1.2.3.4 port 46779 ssh2
Sep  2 00:05:41 foo sshd[7844]: Failed password for illegal user mysql from 1.2.3.4 port 46834 ssh2
Sep  2 00:05:42 foo sshd[7846]: Failed password for illegal user oracle from 1.2.3.4 port 48103 ssh2
...

Sometimes the interval between "Did not receive" and the first "Failed
password" is as long as 20 minutes.  Why do the SSH cracking programs
omit the string the first time, and why do they wait a while after
that to start trying userids and passwords?
Reply to: