[wplug] detecting a break-in (was: Any tips against this kind of ssh break-in?)

Dane Miller dane at olneyfriends.org
Fri Jul 15 11:16:18 EDT 2005


This thread made me check my firewall logs.  I also see many "illegal
user" messages in auth.log showing all the usernames that these
attackers are guessing (michaeljordan was the funniest).  But I'm
suspicious because "root" was never guessed, even though ssh was set to
allow root login.

Isn't that odd?  Wouldn't you expect root to be the first account for
attackers to hit?

...Unless someone did hit root, broke the password (which is complex,
but not terribly long), and erased all trace from the logs.  Is this far
fetched?  How would I know?

Dane

Russ Schneider wrote:
> When he/she guessed the right user (like root, which is obvious), the logs 
> show "Failed password for root".  When the username used didn't exist on 
> my box, the logs show "Failed password for illegal user".
> 
>  
> 



More information about the wplug mailing list