[Sussex] unauthorised ssh attempts

Karl E. Jorgensen karl at jorgensen.com
Fri Aug 20 13:16:35 UTC 2004

On Fri, Aug 20, 2004 at 07:24:15AM +0100, Tony Austin wrote:
> I have noticed quite a few of these in my logfiles:-
> current:Aug 20 06:30:54 [sshd] Failed password for illegal user test from
> port 47112 ssh2
> current:Aug 20 06:30:57 [sshd] Failed password for illegal user guest from
> port 47189 ssh2
> current:Aug 20 06:31:00 [sshd] Failed password for illegal user admin from
> port 47263 ssh2
> current:Aug 20 06:31:02 [sshd] Failed password for illegal user admin from
> port 47334 ssh2
> current:Aug 20 06:31:05 [sshd] Failed password for illegal user user from
> port 47406 ssh2
> current:Aug 20 06:31:08 [sshd] Failed password for root from
> port 47473 ssh2
> current:Aug 20 06:31:10 [sshd] Failed password for root from
> port 47549 ssh2
> current:Aug 20 06:31:13 [sshd] Failed password for root from
> port 47625 ssh2
> Can someone explain the significance of the port numbers?  I have port 22
> open for ssh plus 25 and a couple for vnc, 

Don't leave VNC open - that is an insecure protocol. Tunnel it over ssh

> but everything else is blocked at the firewall and yet my server seems
> to be rejecting login attempts on other ports because of incorrect
> usernames and passwords.

The port number mentioned is the *source* port - i.e. the port number at
the other end. Not of any real significance.

I've noticed the same login attempts in the last month or so on two
different (~80 miles and several ip ranges apart) boxes.  There's a lot
of it going about...

Perhaps there is a linux distribution that have those users by default?
with known passwords?  I dunno...

There's a thread about it on the debian-user mailing list that touches
on the subject too:


Hope this helps
Karl E. Jørgensen
karl at jorgensen.com   http://karl.jorgensen.com
==== Today's fortune:
Is your job running?  You'd better go catch it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://mailman.lug.org.uk/pipermail/sussex/attachments/20040820/873bb2b8/attachment.pgp 

More information about the Sussex mailing list