Attempted SSH Logins

[Bob Smith]

If you do a dig -x, and then check some of the websites, you see that a 
lot of these are coming out of Korea and China.  I've had the same 
attempts on my systems and got curious.  Some were coming from the 
Chemistry department of one of the Universities in China.

Also, one of the accounts being tried here is "guest" which is a common 
Microsoft account.  Makes me wonder if they aren't looking to hack 
Windows systems.

-Bob

Jenkins, Jeremiah wrote:

>There are some script kiddies out there running automated attacks.  If you
>look at your secure log /var/log/secure, you will see that they try for a
>few times then move on.  if you google on the error message you will find
>numerous threads on the subject.
>
>-----Original Message-----
>From: Nathaniel Hall [mailto:halln at otc.edu]
>Sent: Tuesday, August 03, 2004 12:23 PM
>To: redhat-list at redhat.com
>Subject: Attempted SSH Logins
>
>
>Hi all.
>
> 
>
>I have been monitoring our logs over the past several weeks using logwatch
>and have noticed several of these entries (known entries omitted):
>
> 
>
>sshd:
>
>   Invalid Users:
>
>      Unknown Account: 5 Time(s)
>
>   Authentication Failures:
>
>      test (server.bes1.com ): 2 Time(s)
>
>      root (server.bes1.com ): 3 Time(s)
>
>      unknown (server.bes1.com ): 4 Time(s)
>
> 
>
>The source addresses vary.  I always see the same accounts from different
>addresses with a different number of tries.  When I see these, there is only
>one source, never a mix of sources.  The next day, it might be a different
>source, but it is the only one.
>
> 
>
>Is anybody else seeing this in their logs where I shouldn't be as worried or
>is this directed at us?
>
> 
>
> 
>
>~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>Nathaniel Hall
>
>Intrusion Detection and Firewall Technician
>
>Ozarks Technical Community College -- Office of Computer Networking
>
> 
>
>halln at otc.edu
>
>417-799-0552
>
> 
>
>  
>