Hi all, One of my systems just emailed me with this:
Mar 5 13:35:03 firewall sshd[3497]: Disconnecting: Corrupted check bytes on input. Mar 5 13:35:11 firewall sshd[3499]: Disconnecting: Corrupted check bytes on input. Mar 5 13:35:15 firewall sshd[3500]: Disconnecting: Corrupted check bytes on input. Mar 5 13:35:19 firewall sshd[3501]: Disconnecting: Corrupted check bytes on input. Mar 5 13:35:27 firewall sshd[3503]: Disconnecting: Corrupted check bytes on input. Mar 5 13:35:39 firewall sshd[3506]: Disconnecting: Corrupted check bytes on input. Mar 5 13:35:43 firewall sshd[3507]: Disconnecting: Corrupted check bytes on input. Mar 5 13:35:51 firewall sshd[3509]: Disconnecting: Corrupted check bytes on input. Mar 5 13:35:59 firewall sshd[3511]: Disconnecting: Corrupted check bytes on input. Mar 5 13:36:52 firewall sshd[3524]: Disconnecting: crc32 compensation attack: network attack detected Mar 5 13:38:47 firewall sshd[3537]: Disconnecting: crc32 compensation attack: network attack detected Mar 5 13:39:05 firewall sshd[3539]: Disconnecting: crc32 compensation attack: network attack detected Mar 5 13:39:14 firewall sshd[3540]: Disconnecting: crc32 compensation attack: network attack detected Mar 5 13:39:32 firewall sshd[3542]: Disconnecting: crc32 compensation attack: network attack detected Mar 5 13:39:49 firewall sshd[3544]: Disconnecting: crc32 compensation attack: network attack detected Mar 5 13:39:58 firewall sshd[3545]: Disconnecting: crc32 compensation attack: network attack detected Mar 5 13:40:07 firewall sshd[3546]: Disconnecting: crc32 compensation attack: network attack detected Mar 5 13:41:57 firewall sshd[3574]: Disconnecting: crc32 compensation attack: network attack detected Mar 5 13:43:12 firewall sshd[3593]: Disconnecting: crc32 compensation attack: network attack detected Mar 5 13:43:35 firewall sshd[3599]: Disconnecting: crc32 compensation attack: network attack detected Mar 5 13:44:34 firewall sshd[3614]: Disconnecting: Corrupted check bytes on input. Mar 5 13:44:47 firewall sshd[3494]: fatal: Timeout before authentication for 211.192.192.181. Mar 5 13:44:58 firewall sshd[3620]: Disconnecting: Corrupted check bytes on input. Mar 5 13:45:06 firewall sshd[3622]: Disconnecting: crc32 compensation attack: network attack detected Mar 5 13:45:23 firewall sshd[3626]: Disconnecting: Corrupted check bytes on input. Mar 5 13:45:47 firewall sshd[3632]: Disconnecting: Corrupted check bytes on input. Mar 5 13:46:47 firewall sshd[416]: Generating new 768 bit RSA key. Mar 5 13:46:48 firewall sshd[416]: RSA key generation complete. Mar 5 14:46:49 firewall sshd[416]: Generating new 768 bit RSA key. Mar 5 14:46:49 firewall sshd[416]: RSA key generation complete. It looks to me like this is coming from 211.192.192.181 but no other IP addresses have been reported. Is there anywhere that SSH would log these besides /var/log/messages ? Anyone seen this sort of attack before? -- Regards, +-----------------------+---------------------------------+ | Peter Kiem | E-Mail : <[EMAIL PROTECTED]> | | Zordah IT | Mobile : +61 0414 724 766 | | IT Consultancy & | WWW : www.zordah.net | | Internet Hosting | ICQ : "Zordah" 866661 | +-----------------------+---------------------------------+ _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
