[SWLUG] Possible SSH Attack

Jon Reynolds maillist at jcrdevelopments.com
Thu Jul 14 21:22:56 UTC 2011 

 Hi folks,

 Am a bit naive when it comes to these things, but looking through just 
 the last few days of auth.log I see lots of this:
 Jul 10 16:17:30 jcrdevelopments authdaemond: pam_unix(pop3:auth): 
 authentication failure; logname= uid=0 euid=0 tty= ruser= rh
 ost=  user=root
 Jul 10 16:20:04 jcrdevelopments authdaemond: pam_unix(pop3:auth): 
 authentication failure; logname= uid=0 euid=0 tty= ruser= rh
 ost=  user=root
 Jul 10 16:20:12 jcrdevelopments authdaemond: pam_unix(pop3:auth): 
 authentication failure; logname= uid=0 euid=0 tty= ruser= rh
 ost=  user=root
 Jul 10 16:20:51 jcrdevelopments authdaemond: pam_unix(pop3:auth): 
 authentication failure; logname= uid=0 euid=0 tty= ruser= rh
 ost=  user=www-data
 Jul 10 16:21:15 jcrdevelopments authdaemond: pam_unix(pop3:auth): 
 authentication failure; logname= uid=0 euid=0 tty= ruser= rh
 ost=  user=nobody
 Jul 10 16:21:22 jcrdevelopments authdaemond: pam_unix(pop3:auth): 
 authentication failure; logname= uid=0 euid=0 tty= ruser= rh
 ost=  user=root
 Jul 10 16:21:29 jcrdevelopments authdaemond: pam_unix(pop3:auth): 
 authentication failure; logname= uid=0 euid=0 tty= ruser= rh
 ost=  user=backup
 Jul 10 16:22:35 jcrdevelopments authdaemond: pam_unix(pop3:auth): 
 authentication failure; logname= uid=0 euid=0 tty= ruser= rh
 ost=  user=news
 Jul 10 16:22:48 jcrdevelopments authdaemond: pam_unix(pop3:auth): 
 authentication failure; logname= uid=0 euid=0 tty= ruser= rh
 ost=  user=games
 Jul 10 16:23:01 jcrdevelopments authdaemond: pam_unix(pop3:auth): 
 authentication failure; logname= uid=0 euid=0 tty= ruser= rh
 ost=  user=mail
 Jul 10 16:24:32 jcrdevelopments authdaemond: pam_unix(pop3:auth): 
 authentication failure; logname= uid=0 euid=0 tty= ruser= rh
 ost=  user=sshd
 Jul 10 16:24:55 jcrdevelopments authdaemond: pam_unix(pop3:auth): 
 authentication failure; logname= uid=0 euid=0 tty= ruser= rh
 ost=  user=bin


 I am of course wondering if this is some sort of brute force attack, 
 where someone is trying to log in with any possible user name....

 Is there anything I can do? Should I be worried? I use ssh keys to 
 login, but I have left password auth on in case I loose the keys :)

 ...maybe this is just normal?

 Thanks in advance.


-- 


 Jon Reynolds (j0nr)
 http://www.jcrdevelopments.com

More information about the Swlug mailing list