[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: More SSH 'trolling'



> 
>     Some questions:
> 
>     - Anyone else getting this?
> 
>     - Wouldn't these connections just get dumped because their forward
> and reverse addresses don't match?
> 
>     - Does anyone recognize these usernames?

Yeah I have this before from multiple IPs.  Its seems to be a similar
script to the ones earlier useing test and admin with an expanded
username list.  It also seems to me that they are system names,
variations of system names, and/or possible names that a user may use to
run a service.  

The safest be for this is to make sure that any user in /etc/passwd and
/etc/shadow has there shell set to nologin that doesn't need SSH and
also to make sure that the FTP is disabled for them.  Make sure all your
users have secure passwords.  Hard to do, I understand.

I even get them on a Dynamic IP at home, well not lately since I
installed the FW/router, so its not a targetted attack. 
-- 
Mike Ramirez <mike thexxxhost com>

Attachment: signature.asc
Description: This is a digitally signed message part


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]