I've had several root login attempts (and other common usernames) to my
server the past couple days - none successful though (knock on wood).
Make sure you set "PermitRootLogin no" in your /etc/ssh/sshd_config file..
Justin
Damien Hull wrote:
>I'm sitting here surfing the net. My dsl modem is right next to me. I
>happened to see traffic going through when there shouldn't have been.
>
>I did a "netstat -ta" to see if anything on my box was connecting to the
>net. What I found was much worse. I saw an ssh connection from my box to
>an ip address I have never seen.
>
>Here's what I found in /var/log/messages.
>Oct 17 21:40:33 tower1 sshd[31174]: Failed password for test from
>218.21.78.22 port 3716 ssh2
>Oct 17 21:40:38 tower1 sshd[31176]: Illegal user guest from 218.21.78.22
>Oct 17 21:40:38 tower1 sshd[31176]: Failed password for illegal user
>guest from 218.21.78.22 port 3941 ssh2
>Oct 17 21:40:44 tower1 sshd[31178]: Illegal user admin from 218.21.78.22
>Oct 17 21:40:44 tower1 sshd[31178]: Failed password for illegal user
>admin from 218.21.78.22 port 4217 ssh2
>Oct 17 21:40:49 tower1 sshd[31180]: Illegal user admin from 218.21.78.22
>Oct 17 21:40:49 tower1 sshd[31180]: Failed password for illegal user
>admin from 218.21.78.22 port 4442 ssh2
>Oct 17 21:40:54 tower1 sshd[31182]: Illegal user user from 218.21.78.22
>Oct 17 21:40:54 tower1 sshd[31182]: Failed password for illegal user
>user from 218.21.78.22 port 4728 ssh2
>Oct 17 21:41:00 tower1 sshd[31184]: Failed password for root from
>218.21.78.22 port 4993 ssh2
>Oct 17 21:41:05 tower1 sshd[31186]: Failed password for root from
>218.21.78.22 port 1322 ssh2
>Oct 17 21:41:11 tower1 sshd[31188]: Failed password for root from
>218.21.78.22 port 1602 ssh2
>Oct 17 21:41:19 tower1 sshd[31190]: Failed password for test from
>218.21.78.22 port 1917 ssh2
>Oct 17 21:51:12 tower1 su(pam_unix)[31349]: session opened for user root
>by (uid=1002)
>
>It turns out that the ip is from some isp in china. Here's the whois
>info.
>
>inetnum: 218.21.64.0 - 218.21.127.255
>netname: CHINANET-GX
>descr: CHINANET Guangxi province network
>descr: China Telecom
>descr: A12,Xin-Jie-Kou-Wai Street
>descr: Beijing 100088
>country: CN
>admin-c: CH93-AP
>tech-c: CR766-AP
>mnt-by: MAINT-CHINANET
>mnt-lower: MAINT-CHINANET-GX
>changed: hostmaster@ns.chinanet.cn.net 20010731
>status: ALLOCATED NON-PORTABLE
>source: APNIC
>
>role: CHINANET GUANGXI
>address: No.35,Minzhu Road,Nanning 530015
>country: CN
>phone: +86-771-2815987
>fax-no: +86-771-2839278
>e-mail: hostmaster@gx163.net
>trouble: send spam reports to hostmaster@gx163.net
>trouble: send abuse reports to hostmaster@gx163.net
>trouble: times in GMT+8
>admin-c: CR76-AP
>tech-c: BD37-AP
>nic-hdl: CR766-AP
>remarks: http://www.gx.cninfo.net
>notify: hostmaster@gx163.net
>mnt-by: MAINT-CHINANET-GX
>changed: hostmaster@gx163.net 20021024
>source: APNIC
>
>person: Chinanet Hostmaster
>address: No.31 ,jingrong street,beijing
>address: 100032
>country: CN
>phone: +86-10-66027112
>fax-no: +86-10-58501144
>e-mail: hostmaster@ns.chinanet.cn.net
>e-mail: anti-spam@ns.chinanet.cn.net
>nic-hdl: CH93-AP
>mnt-by: MAINT-CHINANET
>changed: hostmaster@ns.chinanet.cn.net 20021016
>remarks: hostmaster is not for spam complaint,please send spam
>complaint to anti-spam@ns.chinanet.cn.net
>source: APNIC
>
>
>
>
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Sun Oct 17 22:17:18 2004
This archive was generated by hypermail 2.1.8 : Sun Oct 17 2004 - 22:17:18 AKDT