From owner-freebsd-questions@FreeBSD.ORG  Wed May 18 05:19:52 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 64D8F16A4CE
	for <freebsd-questions@freebsd.org>;
	Wed, 18 May 2005 05:19:52 +0000 (GMT)
Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.46])
	by mx1.FreeBSD.org (Postfix) with ESMTP id F1E0543D7E
	for <freebsd-questions@freebsd.org>;
	Wed, 18 May 2005 05:19:48 +0000 (GMT)
	(envelope-from peterkropholler@mac.com)
Received: from mac.com (smtpin01-en2 [10.13.10.146])id j4I5JlCp006407
	for <freebsd-questions@freebsd.org>;
	Tue, 17 May 2005 22:19:47 -0700 (PDT)
Received: from [10.0.1.3] (82-69-50-179.dsl.in-addr.zen.co.uk [82.69.50.179])
	(authenticated bits=0)
	by mac.com (Xserve/smtpin01/MantshX 4.0) with ESMTP id j4I5JjXc001941
	for <freebsd-questions@freebsd.org>;
	Tue, 17 May 2005 22:19:47 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v730)
To: freebsd-questions@freebsd.org
Message-Id: <C993D184-EDA6-446B-96CC-59B9AFE34AC2@mac.com>
From: Peter Kropholler <peterkropholler@mac.com>
Date: Tue, 17 May 2005 15:36:45 +0100
X-Mailer: Apple Mail (2.730)
Content-Type: text/plain;
	charset=US-ASCII;
	delsp=yes;
	format=flowed
Content-Transfer-Encoding: 7bit
X-Content-Filtered-By: Mailman/MimeDel 2.1.1
Subject: illegal user root user failed login attempts
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 18 May 2005 05:19:52 -0000

This link might help:
http://seclists.org/lists/incidents/2005/Feb/0004.html


Karol,
Thanks for this pointer.

There are two really important pieces of advice on that web page
which persuade me to ditch any thoughts of trying to determine
what passwords people are using with their illegal login scams:

1. it's probably illegal
2. it potentially gives hackers an excuse: someone else knew their  
password?!

As things stand, ssh is designed so you can't get at people's passwords
and I am leaving it alone. Focussing instead on the task of making
sure my passwords are strong, limiting AllowUsers to specific users and
trusted ip addresses, and moving ssh off port 22.

Other advice I received was to consider logging ip addresses and
sending complaints to the relevant authorities: however I doubt that
there is very much point in doing so since my guess is that most
scams come from hacked machines anyway. Basically you never see
the same ip address twice.

many thanks

Peter K