On Sat, 7 Aug 2004, Jürgen Mell wrote: Hi,
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi List,
in the last days I see an increasing number of attacks against our SSH system. Up to now the attackers do not seem to have any success, but I am wondering about one thing: I have set up a list of users which are allowed to use the SSH daemon with the AllowUsers command in sshd_config. Now I get different messages from SSHD although none of the user names the attacker is trying is in the AllowUsers list:
Aug 7 22:47:17 akira sshd[5512]: User test not allowed because not listed in AllowUsers Aug 7 22:47:17 akira sshd[5514]: User guest not allowed because not listed in AllowUsers Aug 7 22:47:18 akira sshd[5516]: Illegal user admin from www.xxx.yyy.zzz Aug 7 22:47:20 akira sshd[5520]: Illegal user user from www.xxx.yyy.zzz Aug 7 22:47:21 akira sshd[5522]: User root not allowed because not listed in AllowUsers
Looks like that 'test' and 'guest' exist but are not allowed to login, while 'admin' and 'user' does not exist. Sebastian -- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer@suse.de - SuSE Security Team ~