Hack Attempt

December 2, 2007


Dec 2 14:19:52 myHostname sshd[8843]: Did not receive identification string from someip
Dec 2 14:20:31 myHostname sshd[8846]: Invalid user fluffy from someip
Dec 2 14:20:33 myHostname sshd[8848]: Invalid user admin from someip
Dec 2 14:20:35 myHostname sshd[8850]: Invalid user test from someip
Dec 2 14:20:38 myHostname sshd[8853]: Invalid user guest from someip
Dec 2 14:20:41 myHostname sshd[8855]: Invalid user webmaster from someip
Dec 2 14:20:46 myHostname sshd[8859]: Invalid user oracle from someip
Dec 2 14:20:48 myHostname sshd[8861]: Invalid user library from someip
Dec 2 14:20:52 myHostname sshd[8863]: Invalid user info from someip
Dec 2 14:20:54 myHostname sshd[8865]: Invalid user shell from someip
Dec 2 14:20:57 myHostname sshd[8867]: Invalid user linux from someip
Dec 2 14:20:59 myHostname sshd[8869]: Invalid user unix from someip
Dec 2 14:21:02 myHostname sshd[8871]: Invalid user webadmin from someip
… more like this …

So that’s what a brute force attack on an SSH server looks like! ;)

Fortunately, I took time to read and secure the SSH as best I know how and no damage appears to be done. (If the output of less can be trusted) There were only two real attacks.

All in all I learned from the whole thing. I should probably start getting into the habit of reading my logs, and I learned a couple of user names not to use. (my favorites being fluffy, gopher, and Zmeu) I think I also want to look for an ipchains rule to limit access to only IP addresses in my state.

Entry Filed under: Linux. Tags: , , .

5 Comments Add your own

  • 1. scaryreasoner  |  December 2, 2007 at 10:05 pm

    um….

    “So that’s what a brute force attack on an SSH server looks like!”

    The antecedent of “that” is missing in action.

    What does a brute force attack on an SSH server look like?

    Your post fails to mention it.

  • 2. dosnlinux  |  December 3, 2007 at 6:59 am

    Fixed. Thanks :)

  • 3. Dr Small  |  December 7, 2007 at 8:41 pm

    You weren’t the only one for December 2nd.
    I got hit too..

  • 4. Ryan Grange  |  March 30, 2008 at 7:34 pm

    I wrote an article covering some IPTables rules I found elsewhere on slowing down brute force attempts to hack your ssh server with an explanation of what those rules do. It won’t provide bullet-proof security, but it will give you a stronger defense against the brutes.

  • 5. Exhibitor  |  June 24, 2008 at 6:33 am

    Somehow i missed the point. Probably lost in translation :) Anyway … nice blog to visit.

    cheers, Exhibitor!

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Trackback this post  |  Subscribe to the comments via RSS Feed

Feeds

Links

Archives