Funny you should menion it but: grep Invalid /var/log/auth.log yields
Apr 10 07:05:36 islay sshd[3403]: Invalid user t from ::ffff:211.30.136.xxx Apr 10 13:00:41 islay sshd[3823]: Invalid user test from ::ffff:61.144.122.39 Apr 12 00:05:59 islay sshd[4048]: Invalid user test from ::ffff:202.82.195.xxx Apr 12 00:06:01 islay sshd[4050]: Invalid user guest from ::ffff:202.82.195.xxx Apr 12 00:06:04 islay sshd[4052]: Invalid user admin from ::ffff:202.82.195.xxx Apr 12 00:06:06 islay sshd[4054]: Invalid user admin from ::ffff:202.82.195.xxx Apr 12 00:06:07 islay sshd[4056]: Invalid user user from ::ffff:202.82.195.xxx Apr 12 00:06:14 islay sshd[4064]: Invalid user test from ::ffff:202.82.195.xxx Apr 12 00:06:17 islay sshd[4066]: Invalid user test from ::ffff:202.82.195.xxx Apr 12 00:06:19 islay sshd[4068]: Invalid user test from ::ffff:202.82.195.xxx Apr 12 00:06:21 islay sshd[4070]: Invalid user test from ::ffff:202.82.195.xxx All the latter accesses are from the same IP address too... Hmmm. Rob. On Apr 12, 2005 4:51 PM, Joshua Bassett <[EMAIL PROTECTED]> wrote: > Hi Sluggers, > > I was going through my auth.log file the other day and noticed that > someone (possibly several machines) are trying to login to my box > using a variety of "canned" usernames. Looks like they're trying to > bruteforce their way in...they try maybe 20 usernames per day. > > Has anyone else experienced this? > > Also, are they likely to try more cunning techniques (ie. exploits) if > this yeilds no results for them? Is there a way I can find the person > behind this? > > Any help would be greatly appreciated. > > A snippet: > > mybox:~# grep Illegal /var/log/auth.log > Apr 10 07:35:01 localhost sshd[9868]: Illegal user test from > ::ffff:67.112.29.138 > Apr 10 07:35:04 localhost sshd[9870]: Illegal user guest from > ::ffff:67.112.29.138 > Apr 10 07:35:06 localhost sshd[9872]: Illegal user admin from > ::ffff:67.112.29.138 > Apr 10 07:35:09 localhost sshd[9874]: Illegal user admin from > ::ffff:67.112.29.138 > Apr 10 07:35:12 localhost sshd[9876]: Illegal user user from > ::ffff:67.112.29.138 > Apr 10 07:35:22 localhost sshd[9884]: Illegal user test from > ::ffff:67.112.29.138 > Apr 10 10:33:57 localhost sshd[9918]: Illegal user patrick from > ::ffff:203.145.172.175 > Apr 10 10:33:58 localhost sshd[9920]: Illegal user patrick from > ::ffff:203.145.172.175 > Apr 10 10:34:09 localhost sshd[9932]: Illegal user rolo from > ::ffff:203.145.172.175 > Apr 10 10:34:10 localhost sshd[9934]: Illegal user iceuser from > ::ffff:203.145.172.175 > Apr 10 10:34:12 localhost sshd[9936]: Illegal user horde from > ::ffff:203.145.172.175 > Apr 10 10:34:14 localhost sshd[9938]: Illegal user cyrus from > ::ffff:203.145.172.175 > Apr 10 10:34:16 localhost sshd[9940]: Illegal user www from > ::ffff:203.145.172.175 > Apr 10 10:34:17 localhost sshd[9942]: Illegal user wwwrun from > ::ffff:203.145.172.175 > Apr 10 10:34:19 localhost sshd[9944]: Illegal user matt from > ::ffff:203.145.172.175 > Apr 10 10:34:21 localhost sshd[9946]: Illegal user test from > ::ffff:203.145.172.175 > Apr 10 10:34:22 localhost sshd[9948]: Illegal user test from > ::ffff:203.145.172.175 > Apr 10 10:34:24 localhost sshd[9950]: Illegal user test from > ::ffff:203.145.172.175 > Apr 10 10:34:26 localhost sshd[9952]: Illegal user test from > ::ffff:203.145.172.175 > Apr 10 10:34:31 localhost sshd[9958]: Illegal user operator from > ::ffff:203.145.172.175 > Apr 10 10:34:33 localhost sshd[9960]: Illegal user adm from > ::ffff:203.145.172.175 > Apr 10 10:34:34 localhost sshd[9962]: Illegal user apache from > ::ffff:203.145.172.175 > Apr 10 10:34:40 localhost sshd[9968]: Illegal user adm from > ::ffff:203.145.172.175 > Apr 10 10:34:46 localhost sshd[9976]: Illegal user jane from > ::ffff:203.145.172.175 > Apr 10 10:34:48 localhost sshd[9978]: Illegal user pamela from > ::ffff:203.145.172.175 > Apr 10 10:34:58 localhost sshd[9990]: Illegal user cosmin from > ::ffff:203.145.172.175 > Apr 10 10:36:02 localhost sshd[10064]: Illegal user cip52 from > ::ffff:203.145.172.175 > Apr 10 10:36:04 localhost sshd[10066]: Illegal user cip51 from > ::ffff:203.145.172.175 > Apr 10 10:36:07 localhost sshd[10070]: Illegal user noc from > ::ffff:203.145.172.175 > Apr 10 10:36:16 localhost sshd[10080]: Illegal user webmaster from > ::ffff:203.145.172.175 > Apr 10 10:36:17 localhost sshd[10082]: Illegal user data from > ::ffff:203.145.172.175 > Apr 10 10:36:19 localhost sshd[10084]: Illegal user user from > ::ffff:203.145.172.175 > Apr 10 10:36:21 localhost sshd[10086]: Illegal user user from > ::ffff:203.145.172.175 > Apr 10 10:36:23 localhost sshd[10088]: Illegal user user from > ::ffff:203.145.172.175 > Apr 10 10:36:24 localhost sshd[10090]: Illegal user web from > ::ffff:203.145.172.175 > Apr 10 10:36:26 localhost sshd[10092]: Illegal user web from > ::ffff:203.145.172.175 > Apr 10 10:36:28 localhost sshd[10094]: Illegal user oracle from > ::ffff:203.145.172.175 > Apr 10 10:36:30 localhost sshd[10096]: Illegal user sybase from > ::ffff:203.145.172.175 > Apr 10 10:36:31 localhost sshd[10098]: Illegal user master from > ::ffff:203.145.172.175 > Apr 10 10:36:33 localhost sshd[10100]: Illegal user account from > ::ffff:203.145.172.175 > Apr 10 10:36:36 localhost sshd[10104]: Illegal user server from > ::ffff:203.145.172.175 > Apr 10 10:36:38 localhost sshd[10106]: Illegal user adam from > ::ffff:203.145.172.175 > Apr 10 10:36:40 localhost sshd[10108]: Illegal user alan from > ::ffff:203.145.172.175 > Apr 10 10:36:42 localhost sshd[10110]: Illegal user frank from > ::ffff:203.145.172.175 > Apr 10 10:36:43 localhost sshd[10112]: Illegal user george from > ::ffff:203.145.172.175 > Apr 10 10:36:45 localhost sshd[10114]: Illegal user henry from > ::ffff:203.145.172.175 > Apr 10 10:36:47 localhost sshd[10116]: Illegal user john from > ::ffff:203.145.172.175 > Apr 10 10:36:57 localhost sshd[10128]: Illegal user test from > ::ffff:203.145.172.175 > > -- > nullobject > -- > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > -- Rob Sharp -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
