This is common now a days.
When you notice these attempts, do something by reporting these attempts to the Owner of these IP numbers. Email the owner of the IP numbers advising of these attempts.
How to determine the Owners of the IP numbers ?
One way is go to:
http://www.apnic.net
Then use the 'whois' query by entering the IP number of the subject. For example, one of the numbers in your log is: 203.145.172.175
The owner of this number is based in India.
You will find the phone number, email-address of the Owners (or Contact Person) of the IP numbers, etc., concerned.
If every one do this then the owners will be more attentive to these complaints as it may result to prosecutions and severe penalties.
O Plameras
Joshua Bassett wrote:washingtonpost.com/
Hi Sluggers,
I was going through my auth.log file the other day and noticed that someone (possibly several machines) are trying to login to my box using a variety of "canned" usernames. Looks like they're trying to bruteforce their way in...they try maybe 20 usernames per day.
Has anyone else experienced this?
Also, are they likely to try more cunning techniques (ie. exploits) if this yeilds no results for them? Is there a way I can find the person behind this?
Any help would be greatly appreciated.
A snippet:
mybox:~# grep Illegal /var/log/auth.log Apr 10 07:35:01 localhost sshd[9868]: Illegal user test from ::ffff:67.112.29.138 Apr 10 07:35:04 localhost sshd[9870]: Illegal user guest from ::ffff:67.112.29.138 Apr 10 07:35:06 localhost sshd[9872]: Illegal user admin from ::ffff:67.112.29.138 Apr 10 07:35:09 localhost sshd[9874]: Illegal user admin from ::ffff:67.112.29.138 Apr 10 07:35:12 localhost sshd[9876]: Illegal user user from ::ffff:67.112.29.138 Apr 10 07:35:22 localhost sshd[9884]: Illegal user test from ::ffff:67.112.29.138 Apr 10 10:33:57 localhost sshd[9918]: Illegal user patrick from ::ffff:203.145.172.175 Apr 10 10:33:58 localhost sshd[9920]: Illegal user patrick from ::ffff:203.145.172.175 Apr 10 10:34:09 localhost sshd[9932]: Illegal user rolo from ::ffff:203.145.172.175 Apr 10 10:34:10 localhost sshd[9934]: Illegal user iceuser from ::ffff:203.145.172.175 Apr 10 10:34:12 localhost sshd[9936]: Illegal user horde from ::ffff:203.145.172.175 Apr 10 10:34:14 localhost sshd[9938]: Illegal user cyrus from ::ffff:203.145.172.175 Apr 10 10:34:16 localhost sshd[9940]: Illegal user www from ::ffff:203.145.172.175 Apr 10 10:34:17 localhost sshd[9942]: Illegal user wwwrun from ::ffff:203.145.172.175 Apr 10 10:34:19 localhost sshd[9944]: Illegal user matt from ::ffff:203.145.172.175 Apr 10 10:34:21 localhost sshd[9946]: Illegal user test from ::ffff:203.145.172.175 Apr 10 10:34:22 localhost sshd[9948]: Illegal user test from ::ffff:203.145.172.175 Apr 10 10:34:24 localhost sshd[9950]: Illegal user test from ::ffff:203.145.172.175 Apr 10 10:34:26 localhost sshd[9952]: Illegal user test from ::ffff:203.145.172.175 Apr 10 10:34:31 localhost sshd[9958]: Illegal user operator from ::ffff:203.145.172.175 Apr 10 10:34:33 localhost sshd[9960]: Illegal user adm from ::ffff:203.145.172.175 Apr 10 10:34:34 localhost sshd[9962]: Illegal user apache from ::ffff:203.145.172.175 Apr 10 10:34:40 localhost sshd[9968]: Illegal user adm from ::ffff:203.145.172.175 Apr 10 10:34:46 localhost sshd[9976]: Illegal user jane from ::ffff:203.145.172.175 Apr 10 10:34:48 localhost sshd[9978]: Illegal user pamela from ::ffff:203.145.172.175 Apr 10 10:34:58 localhost sshd[9990]: Illegal user cosmin from ::ffff:203.145.172.175 Apr 10 10:36:02 localhost sshd[10064]: Illegal user cip52 from ::ffff:203.145.172.175 Apr 10 10:36:04 localhost sshd[10066]: Illegal user cip51 from ::ffff:203.145.172.175 Apr 10 10:36:07 localhost sshd[10070]: Illegal user noc from ::ffff:203.145.172.175 Apr 10 10:36:16 localhost sshd[10080]: Illegal user webmaster from ::ffff:203.145.172.175 Apr 10 10:36:17 localhost sshd[10082]: Illegal user data from ::ffff:203.145.172.175 Apr 10 10:36:19 localhost sshd[10084]: Illegal user user from ::ffff:203.145.172.175washingtonpost.com/ Apr 10 10:36:21 localhost sshd[10086]: Illegal user user from ::ffff:203.145.172.175 Apr 10 10:36:23 localhost sshd[10088]: Illegal user user from ::ffff:203.145.172.175 Apr 10 10:36:24 localhost sshd[10090]: Illegal user web from ::ffff:203.145.172.175 Apr 10 10:36:26 localhost sshd[10092]: Illegal user web from ::ffff:203.145.172.175 Apr 10 10:36:28 localhost sshd[10094]: Illegal user oracle from ::ffff:203.145.172.175 Apr 10 10:36:30 localhost sshd[10096]: Illegal user sybase from ::ffff:203.145.172.175 Apr 10 10:36:31 localhost sshd[10098]: Illegal user master from ::ffff:203.145.172.175 Apr 10 10:36:33 localhost sshd[10100]: Illegal user account from ::ffff:203.145.172.175washingtonpost.com/ Apr 10 10:36:36 localhost sshd[10104]: Illegal user server from ::ffff:203.145.172.175 Apr 10 10:36:38 localhost sshd[10106]: Illegal user adam from ::ffff:203.145.172.175 Apr 10 10:36:40 localhost sshd[10108]: Illegal user alan from ::ffff:203.145.172.175 Apr 10 10:36:42 localhost sshd[10110]: Illegal user frank from ::ffff:203.145.172.175 Apr 10 10:36:43 localhost sshd[10112]: Illegal user george from ::ffff:203.145.172.175 Apr 10 10:36:45 localhost sshd[10114]: Illegal user henry from ::ffff:203.145.172.175 Apr 10 10:36:47 localhost sshd[10116]: Illegal user john from ::ffff:203.145.172.175 Apr 10 10:36:57 localhost sshd[10128]: Illegal user test from ::ffff:203.145.172.175
-- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
