Topic: Failed Logins Illegal Users

[persisto]

I found entries like below in the LogWatch of my SME server (sometimes many more entries, starting with all imaginable names starting with A then B etc.)

Code: [Select]


Failed logins from these:
   admin/password from 218.153.147.92: 8 Time(s)
   guest/password from 218.153.147.92: 4 Time(s)
   root/password from 218.153.147.92: 12 Time(s)
   test/password from 218.153.147.92: 8 Time(s)
   user/password from 218.153.147.92: 4 Time(s)

Illegal users from these:
   guest/none from 218.153.147.92: 4 Time(s)
   guest/password from 218.153.147.92: 4 Time(s)
   test/none from 218.153.147.92: 8 Time(s)
   test/password from 218.153.147.92: 8 Time(s)
   user/none from 218.153.147.92: 4 Time(s)
   user/password from 218.153.147.92: 4 Time(s)


Obviously the Failed Logins do not worry me, but what exactly is an Illegal user?

I am intrigued by the outside interest, and like to know more about the attackers/attacks:

Is it possible to modify the log and show the passwords used (The idea is to see if some-one is guessing wildly or based on some information. (I know no-one in South Korea, where the above is from, but also had attacks from nearer by.)

Is it possible to add the time to failed logins?

Thanks

Pete

[Janm]

Got a lot of the same
ou can find the answer in

/var/log/messages

Oct 17 16:09:51 gateway sshd[6258]: Failed password for illegal user wcec from 72.9.235.158 port 41856 ssh2
Oct 17 16:09:52 gateway sshd[6260]: Illegal user web1 from 72.9.235.158
Oct 17 16:09:52 gateway sshd[6260]: Failed password for illegal user web1 from 72.9.235.158 port 41978 ssh2
Oct 17 16:09:53 gateway sshd[6262]: Illegal user webrep from 72.9.235.158
Oct 17 16:09:53 gateway sshd[6262]: Failed password for illegal user webrep from 72.9.235.158 port 42106 ssh2
Oct 17 16:09:54 gateway sshd[6264]: Illegal user webupb from 72.9.235.158
Oct 17 16:09:54 gateway sshd[6264]: Failed password for illegal user webupb from 72.9.235.158 port 42230 ssh2
Oct 17 16:09:55 gateway sshd[6266]: Illegal user welch from 72.9.235.158
Oct 17 16:09:55 gateway sshd[6266]: Failed password for illegal user welch from 72.9.235.158 port 42334 ssh2
Oct 17 16:09:56 gateway sshd[6268]: Illegal user westmins from 72.9.235.158
Oct 17 16:09:56 gateway sshd[6268]: Failed password for illegal user westmins from 72.9.235.158 port 42461 ssh2
Oct 17 16:09:58 gateway sshd[6270]: Illegal user westonw from 72.9.235.158
Oct 17 16:09:58 gateway sshd[6270]: Failed password for illegal user westonw from 72.9.235.158 port 42580 ssh2
Oct 17 16:09:59 gateway sshd[6272]: Illegal user westonp from 72.9.235.158
Oct 17 16:09:59 gateway sshd[6272]: Failed password for illegal user westonp from 72.9.235.158 port 42689 ssh2
Oct 17 16:10:00 gateway sshd[6274]: Illegal user wingtek from 72.9.235.158
Oct 17 16:10:00 gateway sshd[6274]: Failed password for illegal user wingtek from 72.9.235.158 port 42820 ssh2
Oct 17 16:10:01 gateway sshd[6280]: Illegal user winterd from 72.9.235.158
Oct 17 16:10:01 gateway sshd[6280]: Failed password for illegal user winterd from 72.9.235.158 port 42943 ssh2
Oct 17 16:10:02 gateway sshd[6290]: Illegal user wlusty from 72.9.235.158
Oct 17 16:10:02 gateway sshd[6290]: Failed password for illegal user wlusty from 72.9.235.158 port 43047 ssh2
Oct 17 16:10:03 gateway sshd[6292]: Illegal user wma from 72.9.235.158
Oct 17 16:10:03 gateway sshd[6292]: Failed password for illegal user wma from 72.9.235.158 port 43178 ssh2

Thats my logs just a fraction of it
All the best Jan DK
If thats a help

[raem]

persisto

> I am intrigued by the outside interest, and like
> to know more about the attackers/attacks:

You will be more than intrigued when one of them gains access to your server !
You have ssh password access enabled and external (unathorised) users are trying to login remotely.

You should ensure your passwords are VERY STRONG.
Even better would be to disable ssh password access and use public/private keys.
There is a good HOWTO available by Ian Wells.

If you MUST use password access then only enable local ssh password access and force authorised external users to VPN to your server first.
That will prevent unauthorised users even being able to "talk' to your server, thus no more log entries.

Search these forums on public/private keys as it has been answered many times before.

[alejandro]

If you MUST use password access then only enable local ssh password access and force authorised external users to VPN to your server first.
That will prevent unauthorised users even being able to "talk' to your server, thus no more log entries.

I'm not sure this would increase security.
cracker would try to guess pptp passwords instead of ssh which is the same.
but I'm an "old user-always newbie" so .. It's just my opinion ....

[raem]

alejandro

> ...cracker would try to guess pptp passwords
> instead of ssh which is the same.


They also need to guess the username as well as the password to gain VPN access.
Also note that VPN access must be enabled for a user to be able to VPN into the server, so unless all your users have VPN enabed, then the chances of random access are greatly minimised.
Of course strong passwords should still be used.

[alejandro]

thanks for the clarification.