Hi Sluggers,
I was going through my auth.log file the other day and noticed that someone (possibly several machines) are trying to login to my box using a variety of "canned" usernames. Looks like they're trying to bruteforce their way in...they try maybe 20 usernames per day.
Has anyone else experienced this?
Also, are they likely to try more cunning techniques (ie. exploits) if this yeilds no results for them? Is there a way I can find the person behind this?
Any help would be greatly appreciated.
A snippet:
mybox:~# grep Illegal /var/log/auth.log Apr 10 07:35:01 localhost sshd[9868]: Illegal user test from ::ffff:67.112.29.138 Apr 10 07:35:04 localhost sshd[9870]: Illegal user guest from ::ffff:67.112.29.138 Apr 10 07:35:06 localhost sshd[9872]: Illegal user admin from ::ffff:67.112.29.138 Apr 10 07:35:09 localhost sshd[9874]: Illegal user admin from ::ffff:67.112.29.138 Apr 10 07:35:12 localhost sshd[9876]: Illegal user user from ::ffff:67.112.29.138 Apr 10 07:35:22 localhost sshd[9884]: Illegal user test from ::ffff:67.112.29.138 Apr 10 10:33:57 localhost sshd[9918]: Illegal user patrick from
<SNIP>
I get them on all but one of the internet facing machines I manage. Started sometime thru last year.
Fil -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
