Re: Possible hack attempt?

To: debian-user@lists.debian.org
Subject: Re: Possible hack attempt?
From: "Yoram Hekma" <yoram.hekma@unikaas.xs4all.nl>
Date: Sun, 04 Dec 2005 11:41:25 +0100
Message-id: <[🔎] op.s089bbcvtvpscf@tdr-0d900a9b769>
In-reply-to: <[🔎] 4392AEF8.5020806@amfes.com>
References: <[🔎] 4392AEF8.5020806@amfes.com>

On Sun, 04 Dec 2005 09:55:20 +0100, Daniel L. Miller <dmiller@amfes.com>wrote:

I just happened, for GP, to check my auth.log file on my firewall. Ifound a lengthy listing that appears to be a dictionary attack againstme. Can someone tell me what I'm dealing with here?
My firewall is Debian GNU/Linux 2.6 SID, with a firehol generatediptables fireall, OpenVPN, and sshd. I'm connecting to the VPN fromremote sites via Windows clients running OpenVPN and Putty.
auth.log:
<snip>
Dec 4 00:49:53 foxy sshd[28704]: Illegal user amber from::ffff:83.245.39.2Dec 4 00:49:53 foxy sshd[28704]: error: Could not get shadowinformation for NOUSERDec 4 00:49:53 foxy sshd[28704]: Failed password for illegal user amberfrom ::ffff:83.245.39.2 port 48875 ssh2Dec 4 00:49:54 foxy sshd[28706]: Illegal user amber from::ffff:83.245.39.2Dec 4 00:49:54 foxy sshd[28706]: error: Could not get shadowinformation for NOUSERDec 4 00:49:54 foxy sshd[28706]: Failed password for illegal user amberfrom ::ffff:83.245.39.2 port 48923 ssh2Dec 4 00:49:56 foxy sshd[28708]: Illegal user amy from::ffff:83.245.39.2Dec 4 00:49:56 foxy sshd[28708]: error: Could not get shadowinformation for NOUSERDec 4 00:49:56 foxy sshd[28708]: Failed password for illegal user amyfrom ::ffff:83.245.39.2 port 48977 ssh2Dec 4 00:49:57 foxy sshd[28710]: Illegal user amy from::ffff:83.245.39.2Dec 4 00:49:57 foxy sshd[28710]: error: Could not get shadowinformation for NOUSERDec 4 00:49:57 foxy sshd[28710]: Failed password for illegal user amyfrom ::ffff:83.245.39.2 port 49029 ssh2Dec 4 00:49:59 foxy sshd[28713]: Illegal user anastacia from::ffff:83.245.39.2Dec 4 00:49:59 foxy sshd[28713]: error: Could not get shadowinformation for NOUSERDec 4 00:49:59 foxy sshd[28713]: Failed password for illegal useranastacia from ::ffff:83.245.39.2 port 49086 ssh2Dec 4 00:50:00 foxy sshd[28715]: Illegal user anastacia from::ffff:83.245.39.2Dec 4 00:50:00 foxy sshd[28715]: error: Could not get shadowinformation for NOUSERDec 4 00:50:00 foxy sshd[28715]: Failed password for illegal useranastacia from ::ffff:83.245.39.2 port 49138 ssh2
<snip>

Daniel

Nothing special, I get these all the time. As long as you don't havepasswordless accounts you should be ok.

Have a look into PAM_ABL if you want info on how to block these "people"
--
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/

Reply to:

References:
- Possible hack attempt?
  - From: "Daniel L. Miller" <dmiller@amfes.com>

Prev by Date: Re: Why did Debian bundle exim instead of postfix or sendmail as the Default MTA?
Next by Date: Re: Why did Debian bundle exim instead of postfix or sendmail as the Default MTA?
Previous by thread: Possible hack attempt?
Next by thread: Re: Possible hack attempt?
Index(es):
- Date
- Thread