The Monday 2005-03-14 at 14:33 -0500, Don Parris wrote:
In my syslog (via Yast) I found the following entries:
(020405B401010402) Mar 14 08:04:42 luke kernel: SFW2-INext-ACC-TCP IN=dsl0 OUT= MAC= SRC=218.153.147.92 DST=67.35.166.180 LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=41916 DF PROTO=TCP SPT=34654 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A032FB2830000000001030300) Mar 14 08:04:44 luke sshd[26285]: Invalid user test from ::ffff:218.153.147.92 Mar 14 08:04:45 luke kernel: SFW2-INext-ACC-TCP IN=dsl0 OUT= MAC= SRC=218.153.147.92 DST=67.35.166.180 LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=27312 DF PROTO=TCP SPT=34740 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT
It is a known attempt to login into your machine, probably automated, trying to learn first if certain common user names do exist in your machine: test, guest, admin, user, etc. Then, if they think that such a user name exists, they will try to guess the password. Your system rejected those attempts. It seems they learn of the existence of those users because the sshd daemon answers with different delays depending on the user name existence. This was solved by a patch, reported in suse-security-announce on 18 Feb 2005: - openssh information leak Openssh as shipped with SUSE Linux allows a possible timing attack that could be abused remotely to determine existing users on the system by watching replies to failed password attempts. This is tracked by the Mitre CVE ID CAN-2003-0190. Additionally the output of failing PAM sessions will now be displayed and the terminal-setting for aborted login-sessions will get restored correctly. This bugfix was released for SUSE Linux 9.1, 9.2 and SUSE Linux Enterprise Server 9. -- Cheers, Carlos Robinson