[Sussex] unauthorised ssh attempts
Karl E. Jorgensen
karl at jorgensen.com
Fri Aug 20 13:16:35 UTC 2004
On Fri, Aug 20, 2004 at 07:24:15AM +0100, Tony Austin wrote:
> I have noticed quite a few of these in my logfiles:-
>
> current:Aug 20 06:30:54 [sshd] Failed password for illegal user test from
> 222.99.91.173 port 47112 ssh2
> current:Aug 20 06:30:57 [sshd] Failed password for illegal user guest from
> 222.99.91.173 port 47189 ssh2
> current:Aug 20 06:31:00 [sshd] Failed password for illegal user admin from
> 222.99.91.173 port 47263 ssh2
> current:Aug 20 06:31:02 [sshd] Failed password for illegal user admin from
> 222.99.91.173 port 47334 ssh2
> current:Aug 20 06:31:05 [sshd] Failed password for illegal user user from
> 222.99.91.173 port 47406 ssh2
> current:Aug 20 06:31:08 [sshd] Failed password for root from 222.99.91.173
> port 47473 ssh2
> current:Aug 20 06:31:10 [sshd] Failed password for root from 222.99.91.173
> port 47549 ssh2
> current:Aug 20 06:31:13 [sshd] Failed password for root from 222.99.91.173
> port 47625 ssh2
>
> Can someone explain the significance of the port numbers? I have port 22
> open for ssh plus 25 and a couple for vnc,
Don't leave VNC open - that is an insecure protocol. Tunnel it over ssh
instead.
> but everything else is blocked at the firewall and yet my server seems
> to be rejecting login attempts on other ports because of incorrect
> usernames and passwords.
The port number mentioned is the *source* port - i.e. the port number at
the other end. Not of any real significance.
I've noticed the same login attempts in the last month or so on two
different (~80 miles and several ip ranges apart) boxes. There's a lot
of it going about...
Perhaps there is a linux distribution that have those users by default?
with known passwords? I dunno...
There's a thread about it on the debian-user mailing list that touches
on the subject too:
http://lists.debian.org/debian-security/2004/08/msg00116.html
Hope this helps
--
Karl E. Jørgensen
karl at jorgensen.com http://karl.jorgensen.com
==== Today's fortune:
Is your job running? You'd better go catch it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://mailman.lug.org.uk/pipermail/sussex/attachments/20040820/873bb2b8/attachment.pgp
More information about the Sussex
mailing list