I've been seeing quite a bit of ssh bruteforce attacks which appear to be dictionary-based. That's fine; I have proper measures in place, such as key-only access, bruteforce tables for pf(4), and so on.

What caught my interest is if I attempt to log in from a machine where I do not have my key, I see nothing logged about a failed publickey attempt. If I attempt with an invalid username, as expected, I see 'Invalid user foo from ${IP}.'

Is this to be expected? If so, I am curious why. Though I realize an attacker may not be able to see that a user is valid or invalid, might we want to know that a valid username is being used in an attack? (Unless, of course, the valid username is 'john'...)


Glen Barber
freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Reply via email to