From owner-freebsd-questions@FreeBSD.ORG Tue Apr 26 10:42:09 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9FB0E16A4CE for ; Tue, 26 Apr 2005 10:42:09 +0000 (GMT) Received: from catflap.slightlystrange.org (cpc2-cmbg1-3-0-cust94.cmbg.cable.ntl.com [213.107.104.94]) by mx1.FreeBSD.org (Postfix) with ESMTP id 169F443D31 for ; Tue, 26 Apr 2005 10:42:09 +0000 (GMT) (envelope-from danielby@slightlystrange.org) Received: from danielby by catflap.slightlystrange.org with local (Exim 4.50 (FreeBSD)) id 1DQNW3-000Doq-8m for freebsd-questions@freebsd.org; Tue, 26 Apr 2005 11:42:07 +0100 Date: Tue, 26 Apr 2005 11:42:07 +0100 From: Daniel Bye To: freebsd-questions@freebsd.org Message-ID: <20050426104206.GA53044@catflap.slightlystrange.org> Mail-Followup-To: freebsd-questions@freebsd.org References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="2oS5YaxWCcQjTEyO" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.1i Subject: Re: illegal user root user failed login attempts X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Daniel Bye List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Apr 2005 10:42:09 -0000 --2oS5YaxWCcQjTEyO Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 26, 2005 at 09:22:34AM +0100, Peter Kropholler wrote: > I run a server at home on port 22. > There are loads of illegal user attempts to login > every few days. As its at home I protect myself > by having only one user on the sshd AllowUsers > list and with a very strong password and no > admin/sysman priveleges. Good strategy. You could even go so far as to deny logins without a public key. > So essentially every failed login attempt is illegal. >=20 > Is there any way to actually record what passwords > the hackers' scripts are trying? I am just really intrigued > to know what they are thinking might work. No - ssh transport is encrypted even by the time passwords are involved. > I realize that it's not normally appropriate to log people's > passwords but in my case I am literally the only user > who will ever legitimately login to my machine It'll just be a script running somewhere that offers common passwords, random words, etc. You'd be amazed at how many installations use a default password (Cliff Stoll's The Cuckoo's Egg is a damn fine read, and talks about default passwords on admin and field service accounts) More useful might be to log the IP addresses the connections are coming from and report the abuse to the authority to whom the addresses are assigned. You never know - they might feel compelled to stamp on the little buggers... Dan --=20 Daniel Bye PGP Key: ftp://ftp.slightlystrange.org/pgpkey/dan.asc PGP Key fingerprint: 3B9D 8BBB EB03 BA83 5DB4 3B88 86FC F03A 90A1 BE8F _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ --2oS5YaxWCcQjTEyO Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFCbhr8hvzwOpChvo8RAthZAKCMFR9kK3OTFdGsJ61pNH3x1B2M7wCfYG84 9/92mpu0aCrN5duSrwqm8Zs= =wDK+ -----END PGP SIGNATURE----- --2oS5YaxWCcQjTEyO--