-   Linux - Security (
-   -   /var/log/messages shows failed login attempts... (

plan9 08-06-2004 03:08 PM

/var/log/messages shows failed login attempts...
Hey there,

I have been looking through my /var/log/messages file and have found that some ppl. out there are trying to connect to my slack box. It kinda pisses me off that there are ppl. trying to log as root! Should I try to contact the persons isp? How do you find a isp with just a ip address? whois doesn't seem to be doing it.

here's a snip of the log:

mingus -- MARK --
mingus sshd[2252]: Illegal user test from
mingus sshd[2252]: Failed password for illegal user test from port 44498 ssh2
mingus sshd[2254]: Illegal user guest from
mingus sshd[2254]: Failed password for illegal user guest from port 44551 ssh2
mingus sshd[2256]: Illegal user admin from
mingus sshd[2256]: Failed password for illegal user admin from port 44610 ssh2
mingus sshd[2258]: Illegal user admin from
mingus sshd[2258]: Failed password for illegal user admin from port 44691 ssh2
mingus sshd[2260]: Illegal user user from
mingus sshd[2260]: Failed password for illegal user user from port 44741 ssh2
mingus sshd[2262]: Failed password for root from port 44817 ssh2
mingus sshd[2264]: Failed password for root from port 44866 ssh2
mingus sshd[2266]: Failed password for root from port 44918 ssh2
mingus sshd[2268]: Illegal user test from
mingus sshd[2268]: Failed password for illegal user test from port 44997 ssh2
mingus -- MARK --

rgiggs 08-06-2004 03:19 PM

i think you can do:

traceroute <ip address>

win32sux 08-06-2004 03:31 PM

blocking remote root access gives you an additional layer of security...

make sure you have "PermitRootLogin no" in your /etc/ssh/sshd_config

then you can let them try to login as root all they want... they'll get "permission denied" even if they actually guess your correct root password...


cli_man 08-06-2004 05:07 PM

There has been alot of activity like this happening in the last couple of weeks I have noticed, I run the servers for my local ISP and have noticed them scanning trying to log it, it comes from a compleatly different set of ip's each day though so it doesn't help much to trace it, I think it looks like an automated exploit someone is useing trying common passwords.

I for one have blocked all port 22 incoming except to a couple of ip's in my network and then those can only come from my house and a couple of other known places people need to come in from. I haven't seen any of those login attempts since

btmiller 08-06-2004 08:22 PM

Yeah, I've been noticing a lot of these on servers I run too. You can try to contact the ISP in question (if you go to ARIN they have a mechanism to look up who owns a particular block of IPs), but given that the attempts are probably coming from a box that has itself been cracked some time ago, you're unlikely to ever be able to track down the perpetrators.

Just so long as you don't do something stupid like have a passwordless guest account or a weak root password, these automated attacks aren't likely to do much harm.

PhrozenFear 08-06-2004 11:16 PM

Sorry to sound stupid, but where does one go to set up certain IP's to have access while others don't ?

Running a bastardized RedHat 9 for HAM radio.



ppuru 08-07-2004 09:42 AM

Follow this link...

plan9 08-08-2004 12:22 PM


I have foot login disabled in the sshd.config file, thanks tho'.

I was thinking that it looks like a script or a program too- as the login accounts are the same and often times they are tried in the same order, ie: test, admin, guest, and root. It definately looks like some sort of script to me.

a nmap of my system shows no open ports... i am curious how they found me? Do you think that the script/program searches class c's?



win32sux 08-08-2004 12:52 PM

by scanning for port 22...

All times are GMT -5. The time now is 03:03 AM.