On Fri, 2005-06-17 at 13:13 -0400, Justin Pryzby wrote:
> > Definitely would be a good test...I'd like to see someone validate what
> > I've been seeing.
> I see lots of the same logfile entries; but I have doubts that it is
> looking for a valid account, and not just looking for an *opened*
> account.
The problem is, I've seen that valid accounts (like my own 'greg') get
tested a lot more often than the others.
May 31 09:14:52 herring sshd[14612]: Failed password for www-data from
65.254.38.138 port 59932 ssh2
May 31 09:14:57 herring sshd[14630]: Failed password for nobody from
65.254.38.138 port 60209 ssh2
May 31 09:15:00 herring sshd[14638]: Failed password for root from
65.254.38.138 port 60357 ssh2
May 31 09:15:02 herring sshd[14648]: Failed password for backup from
65.254.38.138 port 60542 ssh2
May 31 09:15:10 herring sshd[14713]: Failed password for adam from
65.254.38.138 port 60993 ssh2
May 31 09:15:13 herring sshd[14724]: Failed password for richard from
65.254.38.138 port 32972 ssh2
May 31 09:15:17 herring sshd[14734]: Failed password for michael from
65.254.38.138 port 33226 ssh2
May 31 09:15:19 herring sshd[14741]: Failed password for john from
65.254.38.138 port 33392 ssh2
May 31 09:15:24 herring sshd[14772]: Failed password for news from
65.254.38.138 port 33652 ssh2
May 31 09:15:27 herring sshd[14796]: Failed password for games from
65.254.38.138 port 33895 ssh2
May 31 09:15:32 herring sshd[14811]: Failed password for mail from
65.254.38.138 port 34172 ssh2
May 31 09:15:43 herring sshd[14846]: Failed password for root from
65.254.38.138 port 34879 ssh2
May 31 09:15:46 herring sshd[14864]: Failed password for steven from
65.254.38.138 port 35133 ssh2
May 31 09:15:51 herring sshd[14890]: Failed password for robert from
65.254.38.138 port 35470 ssh2
May 31 09:15:55 herring sshd[14901]: Failed password for richard from
65.254.38.138 port 35653 ssh2
May 31 09:15:59 herring sshd[14910]: Failed password for michael from
65.254.38.138 port 36019 ssh2
May 31 09:16:03 herring sshd[14920]: Failed password for mysql from
65.254.38.138 port 36276 ssh2
May 31 09:16:07 herring sshd[14942]: Failed password for operator from
65.254.38.138 port 36531 ssh2
May 31 09:16:14 herring sshd[14978]: Failed password for sshd from
65.254.38.138 port 37063 ssh2
May 31 09:16:20 herring sshd[14999]: Failed password for root from
65.254.38.138 port 37419 ssh2
May 31 09:16:25 herring sshd[15011]: Failed password for michael from
65.254.38.138 port 37737 ssh2
May 31 09:16:30 herring sshd[15043]: Failed password for irc from
65.254.38.138 port 38102 ssh2
May 31 09:17:15 herring sshd[15251]: Failed password for news from
65.254.38.138 port 41293 ssh2
May 31 09:17:17 herring sshd[15263]: Failed password for lp from
65.254.38.138 port 41500 ssh2
May 31 09:17:20 herring sshd[15267]: Failed password for mail from
65.254.38.138 port 41714 ssh2
May 31 09:17:23 herring sshd[15289]: Failed password for bin from
65.254.38.138 port 41961 ssh2
May 31 09:18:02 herring sshd[15470]: Failed password for root from
65.254.38.138 port 44776 ssh2
May 31 09:48:21 herring sshd[19583]: Failed password for root from
72.29.78.199 port 35131 ssh2
May 31 09:48:24 herring sshd[19586]: Failed password for root from
72.29.78.199 port 35306 ssh2
May 31 09:48:27 herring sshd[19597]: Failed password for root from
72.29.78.199 port 35512 ssh2
Here's a sample:
1 alfred
1 bob
1 greg
1 jim
1 juliab
1 michelle
1 sarah
1 tim
2 alexander
2 ian
2 joseph
2 mark
2 stephanie
2 sys
3 bin
3 bruce
3 dave
3 james
3 lp
3 miniato
3 postfix
3 postgres
6 games
6 robert
6 sshd
8 steven
9 backup
9 www-data
10 adam
10 irc
11 john
11 news
11 operator
12 mail
12 nobody
12 richard
16 michael
23 mysql
352 root
Created with: zgrep 'Failed password' auth.log*gz |awk '{print $9}' |
sort| uniq -c |sort -k1 -n|less
Now, none of the people with 1 attempt are valid, but all of those above
10 are. None of the users have a valid shell to access the server via
ssh, yet certain accounts get many more attempts (ignoring 'root'
entirely, since it'd be a known target).
Cheers,
Greg
--
Greg Webster - System Administrator
-------------------------------------
intouch.ca gastips.com epredictor.net
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
