From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1LkRqx-0004cx-Ap for garchives@archives.gentoo.org; Thu, 19 Mar 2009 23:40:47 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 759F0E020E; Thu, 19 Mar 2009 23:40:45 +0000 (UTC) Received: from mail1.optus.com.au (mail1.optus.com.au [203.13.126.129]) by pigeon.gentoo.org (Postfix) with ESMTP id 28ED1E020E for ; Thu, 19 Mar 2009 23:40:45 +0000 (UTC) Received: from mail1.optus.com.au (unknown [127.0.0.1]) by IMSA (Postfix) with ESMTP id DBE6220F225 for ; Fri, 20 Mar 2009 10:40:40 +1100 (EST) Received: from chow2ke002.optus.com.au (unknown [161.43.32.103]) by mail1.optus.com.au (Postfix) with ESMTP id D69AC20F21A for ; Fri, 20 Mar 2009 10:40:40 +1100 (EST) Received: from excprdhubw002.optus.com.au ([10.10.36.116]) by chow2ke002.optus.com.au with Microsoft SMTPSVC(6.0.3790.3959); Fri, 20 Mar 2009 10:40:25 +1100 Received: from excprdmbxw002.optus.com.au ([10.8.36.30]) by excprdhubw002.optus.com.au ([10.10.36.116]) with mapi; Fri, 20 Mar 2009 10:40:26 +1100 From: Adam Carter To: "gentoo-user@lists.gentoo.org" Date: Fri, 20 Mar 2009 10:40:44 +1100 Subject: RE: [gentoo-user] Usernames in ssh attacks Thread-Topic: [gentoo-user] Usernames in ssh attacks Thread-Index: Acmopi91YclpEzLoRTOzKXeeEaMjLQARTArg Message-ID: <5602B0BD6D59AE4791BE83104940118DA4D10EF0@excprdmbxw002.optus.com.au> In-Reply-To: <58965d8a0903190819j61cdf7a1o6a070f7a275066ab@mail.gmail.com> Accept-Language: en-US, en-AU Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US, en-AU Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 X-OriginalArrivalTime: 19 Mar 2009 23:40:25.0738 (UTC) FILETIME=[13F596A0:01C9A8EC] X-TM-AS-Product-Ver: IMSS-7.0.0.3091-5.6.0.1016-16530.002 X-TM-AS-User-Approved-Sender: No X-TM-AS-Result-Xfilter: Match text exemption rules:Yes X-Archives-Salt: d6d3eac2-8685-4cc2-8eb0-a767f9493202 X-Archives-Hash: e7a82738767c71512d24388d046cfc93 > In my ssh logs this morning I noticed a couple login attempts with > usenames on them... I've never seen that before. It is usually just an > IP address. > > Mar 18 20:19:48 [sshd] refused connect from > postmaster@dns.cablecentro.net.co > Mar 18 23:42:44 [sshd] refused connect from 211.116.136.107 > Mar 18 23:44:44 [sshd] refused connect from > [U2FsdGVkX19g32YZVKMsQkl+mouWITILOicY4Iq9OQo=3D]@211.116.136.107 > Mar 19 02:41:09 [sshd] refused connect from 221.194.128.66 > > weird... maybe the bad guys are up to something new. I'd say they've just made a mistake in their DNS config (or maybe used a wi= ldcard record), and set the PTR record to be postmaster@dns.cablecentro.net= .co instead of a hostname. I'm assuming the reason you usually see IP addre= sses is that there is no PTR record set for that IP.... Are you running Fail2ban or similar? Rgs, Adam