SSH attacks - why different messages
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi List, in the last days I see an increasing number of attacks against our SSH system. Up to now the attackers do not seem to have any success, but I am wondering about one thing: I have set up a list of users which are allowed to use the SSH daemon with the AllowUsers command in sshd_config. Now I get different messages from SSHD although none of the user names the attacker is trying is in the AllowUsers list: Aug 7 22:47:17 akira sshd[5512]: User test not allowed because not listed in AllowUsers Aug 7 22:47:17 akira sshd[5514]: User guest not allowed because not listed in AllowUsers Aug 7 22:47:18 akira sshd[5516]: Illegal user admin from www.xxx.yyy.zzz Aug 7 22:47:20 akira sshd[5520]: Illegal user user from www.xxx.yyy.zzz Aug 7 22:47:21 akira sshd[5522]: User root not allowed because not listed in AllowUsers Why are 'admin' and 'user' handled differently than 'test'. None of these users exist on my system ('guest' and 'root' are available). And none of these five is in AllowUsers. Can anybody shed some light on this? Thanks! Jürgen -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFBFUpjtMrl3JEeRvwRAuBTAKClf/i9qgAUNzuwsEhYiNLipvPs/ACg8sEu VYZO+DJ7KM6E42A+Ow8uGKU= =sYpw -----END PGP SIGNATURE-----
On Saturday 07 August 2004 01:32 pm, Jürgen Mell wrote:
Hi List,
in the last days I see an increasing number of attacks against our SSH system. Up to now the attackers do not seem to have any success, but I am wondering about one thing: I have set up a list of users which are allowed to use the SSH daemon with the AllowUsers command in sshd_config. Now I get different messages from SSHD although none of the user names the attacker is trying is in the AllowUsers list:
Aug 7 22:47:17 akira sshd[5512]: User test not allowed because not listed in AllowUsers Aug 7 22:47:17 akira sshd[5514]: User guest not allowed because not listed in AllowUsers Aug 7 22:47:18 akira sshd[5516]: Illegal user admin from www.xxx.yyy.zzz Aug 7 22:47:20 akira sshd[5520]: Illegal user user from www.xxx.yyy.zzz Aug 7 22:47:21 akira sshd[5522]: User root not allowed because not listed in AllowUsers
Why are 'admin' and 'user' handled differently than 'test'. None of these users exist on my system ('guest' and 'root' are available). And none of these five is in AllowUsers.
Can anybody shed some light on this? Thanks!
Jürgen
Group names? -- _____________________________________ John Andersen
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday 08 August 2004 00:07, John Andersen wrote:
On Saturday 07 August 2004 01:32 pm, Jürgen Mell wrote:
Hi List,
in the last days I see an increasing number of attacks against our SSH system. Up to now the attackers do not seem to have any success, but I am wondering about one thing: I have set up a list of users which are allowed to use the SSH daemon with the AllowUsers command in sshd_config. Now I get different messages from SSHD although none of the user names the attacker is trying is in the AllowUsers list:
Aug 7 22:47:17 akira sshd[5512]: User test not allowed because not listed in AllowUsers Aug 7 22:47:17 akira sshd[5514]: User guest not allowed because not listed in AllowUsers Aug 7 22:47:18 akira sshd[5516]: Illegal user admin from www.xxx.yyy.zzz Aug 7 22:47:20 akira sshd[5520]: Illegal user user from www.xxx.yyy.zzz Aug 7 22:47:21 akira sshd[5522]: User root not allowed because not listed in AllowUsers
Why are 'admin' and 'user' handled differently than 'test'. None of these users exist on my system ('guest' and 'root' are available). And none of these five is in AllowUsers.
Can anybody shed some light on this? Thanks!
Jürgen
Group names?
No, there is only a group users (with an 's') and no group admin. Jürgen -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFBFc2ctMrl3JEeRvwRAhwVAKCAct/HG/PkKyfUlUtf/kfGjcRDfwCg/dsC PeErNTntwz6ctS5CTsaP2Ko= =4DbS -----END PGP SIGNATURE-----
On Sat, 7 Aug 2004, Jürgen Mell wrote: Hi,
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi List,
in the last days I see an increasing number of attacks against our SSH system. Up to now the attackers do not seem to have any success, but I am wondering about one thing: I have set up a list of users which are allowed to use the SSH daemon with the AllowUsers command in sshd_config. Now I get different messages from SSHD although none of the user names the attacker is trying is in the AllowUsers list:
Aug 7 22:47:17 akira sshd[5512]: User test not allowed because not listed in AllowUsers Aug 7 22:47:17 akira sshd[5514]: User guest not allowed because not listed in AllowUsers Aug 7 22:47:18 akira sshd[5516]: Illegal user admin from www.xxx.yyy.zzz Aug 7 22:47:20 akira sshd[5520]: Illegal user user from www.xxx.yyy.zzz Aug 7 22:47:21 akira sshd[5522]: User root not allowed because not listed in AllowUsers
Looks like that 'test' and 'guest' exist but are not allowed to login, while 'admin' and 'user' does not exist. Sebastian -- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer@suse.de - SuSE Security Team ~
participants (3)
-
John Andersen -
Juergen.Mell@t-online.de -
Sebastian Krahmer