Sure, but what do you plan to do with the data? Rather, how do you plan to analyze it? It seems to me that this could be done without knowing what passwords are tried.
The data lined up pretty well last night, when I discovered the first ssh scan; I had to remove some blank lines from /etc/ssh-log (probably from my own testing), remove my own password from the bottom (I was scp'ing files from the machine), and remove some other cruft I had left behind (from testing that password authentication is forced). But it will probably not line up nearly as well once, for example, auth.log gets rotated, or I log in from an uncommon machine which doesn't have RSA access, and I mistype my password. > > Justin On Mon, Jun 20, 2005 at 10:15:18PM -0700, Greg Webster wrote: > Hi Justin, > > Part of what I'd like to (dis)prove is that they are making a 'second > run' from this or another machine to hit that accounts that it believes > are valid...any chance you could keep your testing up for a while? > > On Mon, 2005-20-06 at 23:15 -0400, Justin Pryzby wrote: > > Included is a list of usernames and corresponding passwords used in an > > ssh scan I observed. It indicates to me that it is trying > > statistically common (aka dumb) passwords on common usernames; I see > > no evidence of an attempt to measure timings to discover valid > > accounts. > > > > Starred accounts are invalid users. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
