Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Illegal user ssh probes

from [mghofran] Network Security [Permanent Link]
Subject: RE: Illegal user ssh probes
Date: Tue, 28 Sep 2004 07:06:29 -0400 
I have seen the same behavior & monitoring it closely. I actually reported
the incidents to various "net abuse" departments without any success.

PS. Does anyone know how to allow/deny certain range of ips short of
installing other softwares just the same way as /var/adm/inetd.sec works in
HP_UX ?



Matthew Ghofrani
Boston, MA


-----Original Message-----
From: Frank Hamersley [mailto:terabite@bigpond.com]
Sent: Saturday, September 25, 2004 3:40 AM
To: Ssh List (E-mail)
Subject: Illegal user ssh probes


On examining /var/log/secure for several firewalls I manage remotely using
ssh I have observed a recurrent pattern of probing over the last several
that attempts to connect using user id's in the following order...

test / guest / admin / admin / user / test

We are using SSH 2 RSA key ONLY authentication ie. password based login is
not accepted, and none of these user profiles exist on the host so I am not
too concerned.

However I am wondering if anyone has characterised the probe and/or
performed a risk assessment/analysis?  The rate of probes is very low so I
don't think there is a DOS attack just yet!

Is it worth reporting the behaviour to the net block assignees in case they
aren't aware their server might be compromised?

Is anybody else seeing this?

Regards, Frank.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Illegal user ssh probes, mike
Next by Date:  Re: Illegal user ssh probes, Rob Hughes
Previous by Thread:  RE: Illegal user ssh probes, Frank Hamersley
Next by Thread:  RE: Illegal user ssh probes, Huijsmans, JCM (Jan)
Indexes:  [Date] [Thread] [Top] [All Lists]