I have dozens of these messages in my logs:
Mar 16 11:37:50 stockton sshd[20363]: Illegal user named from ::ffff:70.89.30.130
Mar 16 11:37:50 stockton sshd[20363]: reverse mapping checking getaddrinfo for 70-89-30-130-busname-pa.panjde.hfc.comcastbusiness.net failed - POSSIBLE BREAKIN ATTEMPT!
Mar 16 11:37:51 stockton sshd[20367]: Illegal user visitor from ::ffff:70.89.30.130
Mar 16 11:37:51 stockton sshd[20367]: reverse mapping checking getaddrinfo for 70-89-30-130-busname-pa.panjde.hfc.comcastbusiness.net failed - POSSIBLE BREAKIN ATTEMPT!
Mar 16 11:37:53 stockton sshd[20371]: Illegal user ftpuser from ::ffff:70.89.30.130
Mar 16 11:37:53 stockton sshd[20371]: reverse mapping checking getaddrinfo for 70-89-30-130-busname-pa.panjde.hfc.comcastbusiness.net failed - POSSIBLE BREAKIN ATTEMPT!
Mar 16 11:37:54 stockton sshd[20375]: Illegal user username from ::ffff:70.89.30.130
Mar 16 11:37:54 stockton sshd[20375]: reverse mapping checking getaddrinfo for 70-89-30-130-busname-pa.panjde.hfc.comcastbusiness.net failed - POSSIBLE BREAKIN ATTEMPT!
Thisis definitely indicating a brute force sshd attack. These logs are different because the usernames attempted are either non-existent or not in AllowUsers variable in sshd_config. however, rwsecure is not banning the ip address, so I am guessing it is not looking for logs of this type. I think we should ban incompetent hackers as well as competent ones! ;-)
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I made some small changes in v0.4 that should catch this and deal with it properly. Thanks for the input and let me know if you find any other problems.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The activity below did not result in a banned ip in hosts.deny. The threshold is set to 6, while there are 9 failures from the same ip here, but using different usernames (all of which either don't exist or are not in AllowedUsers). I assume the ip was not banned because it did not fail 6 times on the same username. On my own systems, I would want this activity to result in a ban, but perhaps some would prefer the option to aggregate failed attempts from the same ip for different users or not.
Mar 26 21:49:20 stockton sshd[12543]: Illegal user test from ::ffff:222.255.236.
12
Mar 26 21:49:21 stockton sshd[12543]: error: Could not get shadow information fo
r NOUSER
Mar 26 21:49:21 stockton sshd[12543]: Failed password for illegal user test from
::ffff:222.255.236.12 port 35624 ssh2
Mar 26 21:49:24 stockton sshd[12545]: Illegal user guest from ::ffff:222.255.236
.12
Mar 26 21:49:24 stockton sshd[12545]: error: Could not get shadow information fo
r NOUSER
Mar 26 21:49:24 stockton sshd[12545]: Failed password for illegal user guest fro
m ::ffff:222.255.236.12 port 35700 ssh2
Mar 26 21:49:29 stockton sshd[12547]: Illegal user admin from ::ffff:222.255.236
.12
Mar 26 21:49:29 stockton sshd[12547]: error: Could not get shadow information fo
r NOUSER
Mar 26 21:49:29 stockton sshd[12547]: Failed password for illegal user admin fro
m ::ffff:222.255.236.12 port 35768 ssh2
Mar 26 21:49:36 stockton sshd[12549]: Illegal user admin from ::ffff:222.255.236
.12
Mar 26 21:49:36 stockton sshd[12549]: error: Could not get shadow information fo
r NOUSER
Mar 26 21:49:36 stockton sshd[12549]: Failed password for illegal user admin fro
m ::ffff:222.255.236.12 port 35862 ssh2
Mar 26 21:49:41 stockton sshd[12551]: Illegal user user from ::ffff:222.255.236.
12
Mar 26 21:49:41 stockton sshd[12551]: error: Could not get shadow information fo
r NOUSER
Mar 26 21:49:41 stockton sshd[12551]: Failed password for illegal user user from
::ffff:222.255.236.12 port 35993 ssh2
Mar 26 21:49:46 stockton sshd[12553]: User root not allowed because not listed i
n AllowUsers
Mar 26 21:49:46 stockton sshd[12553]: error: Could not get shadow information fo
r NOUSER
Mar 26 21:49:46 stockton sshd[12553]: Failed password for illegal user root from
::ffff:222.255.236.12 port 36105 ssh2
Mar 26 21:49:50 stockton sshd[12555]: User root not allowed because not listed i
n AllowUsers
Mar 26 21:49:50 stockton sshd[12555]: error: Could not get shadow information fo
r NOUSER
Mar 26 21:49:50 stockton sshd[12555]: Failed password for illegal user root from
::ffff:222.255.236.12 port 36214 ssh2
Mar 26 21:49:54 stockton sshd[12557]: User root not allowed because not listed i
n AllowUsers
Mar 26 21:49:54 stockton sshd[12557]: error: Could not get shadow information fo
r NOUSER
Mar 26 21:49:54 stockton sshd[12557]: Failed password for illegal user root from
::ffff:222.255.236.12 port 36406 ssh2
Mar 26 21:49:57 stockton sshd[12559]: Illegal user test from ::ffff:222.255.236.
12
Mar 26 21:49:57 stockton sshd[12559]: error: Could not get shadow information fo
r NOUSER
Mar 26 21:49:57 stockton sshd[12559]: Failed password for illegal user test from
::ffff:222.255.236.12 port 36611 ssh2
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I have dozens of these messages in my logs:
Mar 16 11:37:50 stockton sshd[20363]: Illegal user named from ::ffff:70.89.30.130
Mar 16 11:37:50 stockton sshd[20363]: reverse mapping checking getaddrinfo for 70-89-30-130-busname-pa.panjde.hfc.comcastbusiness.net failed - POSSIBLE BREAKIN ATTEMPT!
Mar 16 11:37:51 stockton sshd[20367]: Illegal user visitor from ::ffff:70.89.30.130
Mar 16 11:37:51 stockton sshd[20367]: reverse mapping checking getaddrinfo for 70-89-30-130-busname-pa.panjde.hfc.comcastbusiness.net failed - POSSIBLE BREAKIN ATTEMPT!
Mar 16 11:37:53 stockton sshd[20371]: Illegal user ftpuser from ::ffff:70.89.30.130
Mar 16 11:37:53 stockton sshd[20371]: reverse mapping checking getaddrinfo for 70-89-30-130-busname-pa.panjde.hfc.comcastbusiness.net failed - POSSIBLE BREAKIN ATTEMPT!
Mar 16 11:37:54 stockton sshd[20375]: Illegal user username from ::ffff:70.89.30.130
Mar 16 11:37:54 stockton sshd[20375]: reverse mapping checking getaddrinfo for 70-89-30-130-busname-pa.panjde.hfc.comcastbusiness.net failed - POSSIBLE BREAKIN ATTEMPT!
Thisis definitely indicating a brute force sshd attack. These logs are different because the usernames attempted are either non-existent or not in AllowUsers variable in sshd_config. however, rwsecure is not banning the ip address, so I am guessing it is not looking for logs of this type. I think we should ban incompetent hackers as well as competent ones! ;-)
I made some small changes in v0.4 that should catch this and deal with it properly. Thanks for the input and let me know if you find any other problems.
The activity below did not result in a banned ip in hosts.deny. The threshold is set to 6, while there are 9 failures from the same ip here, but using different usernames (all of which either don't exist or are not in AllowedUsers). I assume the ip was not banned because it did not fail 6 times on the same username. On my own systems, I would want this activity to result in a ban, but perhaps some would prefer the option to aggregate failed attempts from the same ip for different users or not.
Mar 26 21:49:20 stockton sshd[12543]: Illegal user test from ::ffff:222.255.236.
12
Mar 26 21:49:21 stockton sshd[12543]: error: Could not get shadow information fo
r NOUSER
Mar 26 21:49:21 stockton sshd[12543]: Failed password for illegal user test from
::ffff:222.255.236.12 port 35624 ssh2
Mar 26 21:49:24 stockton sshd[12545]: Illegal user guest from ::ffff:222.255.236
.12
Mar 26 21:49:24 stockton sshd[12545]: error: Could not get shadow information fo
r NOUSER
Mar 26 21:49:24 stockton sshd[12545]: Failed password for illegal user guest fro
m ::ffff:222.255.236.12 port 35700 ssh2
Mar 26 21:49:29 stockton sshd[12547]: Illegal user admin from ::ffff:222.255.236
.12
Mar 26 21:49:29 stockton sshd[12547]: error: Could not get shadow information fo
r NOUSER
Mar 26 21:49:29 stockton sshd[12547]: Failed password for illegal user admin fro
m ::ffff:222.255.236.12 port 35768 ssh2
Mar 26 21:49:36 stockton sshd[12549]: Illegal user admin from ::ffff:222.255.236
.12
Mar 26 21:49:36 stockton sshd[12549]: error: Could not get shadow information fo
r NOUSER
Mar 26 21:49:36 stockton sshd[12549]: Failed password for illegal user admin fro
m ::ffff:222.255.236.12 port 35862 ssh2
Mar 26 21:49:41 stockton sshd[12551]: Illegal user user from ::ffff:222.255.236.
12
Mar 26 21:49:41 stockton sshd[12551]: error: Could not get shadow information fo
r NOUSER
Mar 26 21:49:41 stockton sshd[12551]: Failed password for illegal user user from
::ffff:222.255.236.12 port 35993 ssh2
Mar 26 21:49:46 stockton sshd[12553]: User root not allowed because not listed i
n AllowUsers
Mar 26 21:49:46 stockton sshd[12553]: error: Could not get shadow information fo
r NOUSER
Mar 26 21:49:46 stockton sshd[12553]: Failed password for illegal user root from
::ffff:222.255.236.12 port 36105 ssh2
Mar 26 21:49:50 stockton sshd[12555]: User root not allowed because not listed i
n AllowUsers
Mar 26 21:49:50 stockton sshd[12555]: error: Could not get shadow information fo
r NOUSER
Mar 26 21:49:50 stockton sshd[12555]: Failed password for illegal user root from
::ffff:222.255.236.12 port 36214 ssh2
Mar 26 21:49:54 stockton sshd[12557]: User root not allowed because not listed i
n AllowUsers
Mar 26 21:49:54 stockton sshd[12557]: error: Could not get shadow information fo
r NOUSER
Mar 26 21:49:54 stockton sshd[12557]: Failed password for illegal user root from
::ffff:222.255.236.12 port 36406 ssh2
Mar 26 21:49:57 stockton sshd[12559]: Illegal user test from ::ffff:222.255.236.
12
Mar 26 21:49:57 stockton sshd[12559]: error: Could not get shadow information fo
r NOUSER
Mar 26 21:49:57 stockton sshd[12559]: Failed password for illegal user test from
::ffff:222.255.236.12 port 36611 ssh2