> In my ssh logs this morning I noticed a couple login attempts with > usenames on them... I've never seen that before. It is usually just an > IP address. > > Mar 18 20:19:48 [sshd] refused connect from > postmas...@dns.cablecentro.net.co > Mar 18 23:42:44 [sshd] refused connect from 211.116.136.107 > Mar 18 23:44:44 [sshd] refused connect from > [u2fsdgvkx19g32yzvkmsqkl+mouwitiloicy4iq9oq...@211.116.136.107 > Mar 19 02:41:09 [sshd] refused connect from 221.194.128.66 > > weird... maybe the bad guys are up to something new.
I'd say they've just made a mistake in their DNS config (or maybe used a wildcard record), and set the PTR record to be postmas...@dns.cablecentro.net.co instead of a hostname. I'm assuming the reason you usually see IP addresses is that there is no PTR record set for that IP.... Are you running Fail2ban or similar? Rgs, Adam
