Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Just recently, I've been seeing a number of attempts to log into my box, using the user "admin".
These are not part of the usual brute force attacks that I see, when they try hundreds of user names. These are just a single attempt, always with "admin".
Is there some new exploit that they're trying to use.
Could an MS guy; expecting admin to exist instead of 'root'.
Alternatively, I believe some people create an admin with root privs user so they can happily block remote root logins, but still get superuser work done.
It's an obvious choice of name for an alternate eg like 'mgr'.
System-level accounts can actually be given any name. The name of the account shouldn't define the severity of the attack.
I'd be concerned whether it was 'admin', 'root', or 'httpd'. This is more than likely an automated bruteforcing attempt. It's looking for all combinations of usernames and passwords, more than likely. Not all such attacks look for default usernames and passwords. Some actually run dictionary attacks (which are more exhaustive, but slower in duration). It depends on the persistence of the attack.
This is why I always use key-based authentication. The attacker can guess all they want, but their attempts are rejected when they don't present the proper key.
It's looking for all combinations of usernames and passwords, more than likely. Not all such attacks look for default usernames and passwords.
That's what I'm more used to, where it tries hundreds, or thousands of names. None of which are ever going to work, because I only allow "public key", and disable password authentication.
It's just this sudden spate of "single" attempts that I find strange.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
