Hi Peter, Peter Beardsley wrote: > > Feb 12 20:00:37 xxx sshd(pam_unix)[18540]: authentication failure; > logname= uid=0 euid=0 tty=ssh ruser= rhost=216.72.153.69 > user=xxxxxxxxxx > Feb 12 20:00:55 xxx sshd(pam_unix)[18540]: 2 more authentication > failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=216.72 > .153.69 user=xxxxxxxxxx
The good news is that according to this, thay didn't get in. Personally, I would 1) make sure that all r* services are disabled, 2) don't use passwords, use public/private keypairs, 3) make sure you are up to date on all OpenSSH patches. > Where the user in question was a user that was being used to ssh into > this machine remotely, and the IP traces back to a Venezualean ISP. So > somehow s/he got the username. Has anyone seen anything like this > before? BTW I require ssh v2 connections. I see it all the time. Usernames are usually fairly easy to guess especially on a mailserver if it's sendmail and VRFY and EXPN are enabled. Check your mail logs for a lot of 550's, then check the IP address against recent spam. Anything that wasn't rejected and returned to the sender is a potential username on a box running SSH *and* a mail server. Also, if you own the domain name of the box, a simple whois will turn up several potential usernames. There are litterally hundreds of ways to get usernames. In theory. So I've heard ;-) > I've read a little here and > there about "monkey in the middle" attacks on ssh, but don't you have to > be on the same subnet? Nah.... They just have to be able to intercept your traffic, rebroadcast modified packets, then intercept the return traffic and modify that before rebroadcasting it. But it isn't an easy task. Besides, man-in-the-middle attacks usually involve an attempt at session-hijacking (also not an easy task), not a direct login attempt. C-Ya, Kenny -- --------------------------------------------------- Kenneth E. Lussier Geek by nature, Linux by choice PGP KeyID C0D2BA57 Public key http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0D2BA57 ***************************************************************** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *****************************************************************