More SSH 'trolling'

Brian Fahrlander brian at fahrlander.net
Thu Oct 14 11:18:33 UTC 2004 

    I just got a notice from LogWatch with the dire warning "POSSIBLE
BREAKIN ATTEMPT!".  Quite a lot of them, too.  I'm already disabling the
root login and have /etc/hosts.allow turning away 'unknown' addresses.
(This version uses that, right? It's unmodified...)

    The typical entry looks like this:
Oct 13 06:33:14 fahrlander sshd[13361]: warning: /etc/hosts.allow, line 6: can't verify hostname: getaddrinfo(170.67-19-122.reverse.theplanet.com, AF_INET) failed
Oct 13 06:33:14 fahrlander sshd[13361]: Did not receive identification string from 67.19.122.170
Oct 13 06:53:08 fahrlander sshd[13468]: warning: /etc/hosts.allow, line 6: can't verify hostname: getaddrinfo(170.67-19-122.reverse.theplanet.com, AF_INET) failed
Oct 13 06:53:09 fahrlander sshd[13468]: reverse mapping checking getaddrinfo for 170.67-19-122.reverse.theplanet.com failed - POSSIBLE BREAKIN ATTEMPT!
Oct 13 06:53:09 fahrlander sshd[13468]: User nobody not allowed because not listed in AllowUsers
Oct 13 06:53:09 fahrlander sshd[13469]: input_userauth_request: illegal user nobody

    And this site hit me 40-50 times trying various usernames, including
'root' quite a lot. Other names such as patrick, nobody, wwwrun, www,
cyrus, horde, iceuser, rolo...it doesn't look like anything that, say,
Cisco would use on their factory defaults.  They also don't look like a
set of names _I_ would use, so they probably don't know _me_.  Times
range from 0633-0654...

    Some questions:

    - Anyone else getting this?

    - Wouldn't these connections just get dumped because their forward
and reverse addresses don't match?

    - Does anyone recognize these usernames?

-- 
------------------------------------------------------------------------
Brian Fahrländer                  Christian, Conservative, and Technomad
Evansville, IN                                 http://www.fahrlander.net
ICQ 5119262
AIM: WheelDweller
------------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20041014/23baa6f3/attachment-0001.sig>

More information about the fedora-list mailing list