FreeBSD Mail Archives

Date:      Fri, 18 Jun 2010 05:23:27 -0700 (PDT)
From:      Dino Vliet <dino_vliet@yahoo.com>
To:        freebsd-questions@freebsd.org
Subject:   system is under attack (what can I do more?)
Message-ID:  <367428.93212.qm@web51108.mail.re2.yahoo.com>

next in thread | raw e-mail | index | archive | help

Dear freebsd list,
My server, which is a amd64 system running freebsd 8.0 is currently under attack from a botnet or something. Take a look at my /var/log/auth.log file:

Jun 18 12:00:00 dual newsyslog[34486]: logfile turned over due to size>100K
Jun 18 12:00:44 dual sshd[34500]: Address 78.5.23.41 maps to 78-5-23-41-static.albacom.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Jun 18 12:00:44 dual sshd[34500]: Invalid user po from 78.5.23.41
Jun 18 12:00:44 dual sshd[34500]: error: PAM: authentication error for illegal user po from 78.5.23.41
Jun 18 12:00:44 dual sshd[34500]: Failed keyboard-interactive/pam for invalid user po from 78.5.23.41 port 10000 ssh2
Jun 18 12:02:17 dual sshd[34503]: Invalid user pol from 211.138.112.241
Jun 18 12:02:17 dual sshd[34503]: error: PAM: authentication error for illegal user pol from 211.138.112.241
Jun 18 12:02:17 dual sshd[34503]: Failed keyboard-interactive/pam for invalid user pol from 211.138.112.241 port 59172 ssh2
Jun 18 12:03:36 dual sshd[34506]: Invalid user polo from 210.59.145.5
Jun 18 12:03:36 dual sshd[34506]: error: PAM: authentication error for illegal user polo from 210.59.145.5
Jun 18 12:03:36 dual sshd[34506]: Failed keyboard-interactive/pam for invalid user polo from 210.59.145.5 port 56517 ssh2
Jun 18 12:04:34 dual sshd[34509]: Invalid user poning from 58.68.131.50
Jun 18 12:04:35 dual sshd[34509]: error: PAM: authentication error for illegal user poning from 58.68.131.50
Jun 18 12:04:35 dual sshd[34509]: Failed keyboard-interactive/pam for invalid user poning from 58.68.131.50 port 55580 ssh2
Jun 18 12:06:11 dual sshd[34514]: User pop from 220.191.131.209 not allowed because not listed in AllowUsers
Jun 18 12:06:12 dual sshd[34514]: error: PAM: authentication error for illegal user pop from 220.191.131.209
Jun 18 12:06:12 dual sshd[34514]: Failed keyboard-interactive/pam for invalid user pop from 220.191.131.209 port 50786 ssh2
Jun 18 12:08:44 dual sshd[34517]: Invalid user popo from 92.79.130.80
Jun 18 12:08:44 dual sshd[34517]: error: PAM: authentication error for illegal user popo from 92.79.130.80
Jun 18 12:08:44 dual sshd[34517]: Failed keyboard-interactive/pam for invalid user popo from 92.79.130.80 port 34021 ssh2
Jun 18 12:08:51 dual sshd[34520]: User pop from 190.41.164.23 not allowed because not listed in AllowUsers
Jun 18 12:08:52 dual sshd[34520]: error: PAM: authentication error for illegal user pop from 190.41.164.23
Jun 18 12:08:52 dual sshd[34520]: Failed keyboard-interactive/pam for invalid user pop from 190.41.164.23 port 26359 ssh2
Jun 18 12:10:30 dual sshd[34525]: Invalid user poppy from 222.68.200.116
Jun 18 12:10:31 dual sshd[34525]: error: PAM: authentication error for illegal user poppy from 222.68.200.116
Jun 18 12:10:31 dual sshd[34525]: Failed keyboard-interactive/pam for invalid user poppy from 222.68.200.116 port 56770 ssh2
Jun 18 12:11:56 dual sshd[34540]: Invalid user porno from 81.74.38.142
Jun 18 12:11:56 dual sshd[34540]: error: PAM: authentication error for illegal user porno from 81.74.38.142
Jun 18 12:11:56 dual sshd[34540]: Failed keyboard-interactive/pam for invalid user porno from 81.74.38.142 port 10478 ssh2
Jun 18 12:13:05 dual sshd[34543]: Invalid user port from 62.218.125.149
Jun 18 12:13:05 dual sshd[34543]: error: PAM: authentication error for illegal user port from 62.218.125.149
Jun 18 12:13:05 dual sshd[34543]: Failed keyboard-interactive/pam for invalid user port from 62.218.125.149 port 54959 ssh2
Jun 18 12:14:13 dual sshd[34546]: Invalid user portal from 195.5.12.170
Jun 18 12:14:13 dual sshd[34546]: error: PAM: authentication error for illegal user portal from 195.5.12.170
Jun 18 12:14:13 dual sshd[34546]: Failed keyboard-interactive/pam for invalid user portal from 195.5.12.170 port 59904 ssh2
Jun 18 12:15:53 dual sshd[34551]: Invalid user portal from 201.24.215.217
Jun 18 12:15:53 dual sshd[34551]: error: PAM: authentication error for illegal user portal from 201.24.215.217
Jun 18 12:15:53 dual sshd[34551]: Failed keyboard-interactive/pam for invalid user portal from 201.24.215.217 port 61107 ssh2
Jun 18 12:18:20 dual sshd[34554]: Invalid user pos from 211.97.71.218
Jun 18 12:18:21 dual sshd[34554]: error: PAM: authentication error for illegal user pos from 211.97.71.218
Jun 18 12:18:21 dual sshd[34554]: Failed keyboard-interactive/pam for invalid user pos from 211.97.71.218 port 53424 ssh2
Jun 18 12:19:28 dual sshd[34557]: Invalid user pos from 200.171.22.80
Jun 18 12:19:28 dual sshd[34557]: error: PAM: authentication error for illegal user pos from 200.171.22.80
Jun 18 12:19:28 dual sshd[34557]: Failed keyboard-interactive/pam for invalid user pos from 200.171.22.80 port 56309 ssh2
Jun 18 12:21:12 dual sshd[34562]: Invalid user postfix from 165.98.133.98
Jun 18 12:21:12 dual sshd[34562]: error: PAM: authentication error for illegal user postfix from up.upoli.edu.ni
Jun 18 12:21:12 dual sshd[34562]: Failed keyboard-interactive/pam for invalid user postfix from 165.98.133.98 port 59768 ssh2
Jun 18 12:22:39 dual sshd[34577]: Invalid user postfix from 164.77.68.42
Jun 18 12:22:40 dual sshd[34577]: error: PAM: authentication error for illegal user postfix from 164.77.68.42
Jun 18 12:22:40 dual sshd[34577]: Failed keyboard-interactive/pam for invalid user postfix from 164.77.68.42 port 51433 ssh2
Jun 18 12:23:29 dual sshd[34580]: Invalid user postfix from 58.223.238.6
Jun 18 12:23:29 dual sshd[34580]: error: PAM: authentication error for illegal user postfix from 58.223.238.6
Jun 18 12:23:29 dual sshd[34580]: Failed keyboard-interactive/pam for invalid user postfix from 58.223.238.6 port 54510 ssh2
Jun 18 12:25:03 dual sshd[34585]: Invalid user postgres from 212.77.187.249
Jun 18 12:25:03 dual sshd[34585]: error: PAM: authentication error for illegal user postgres from 212.77.187.249
Jun 18 12:25:03 dual sshd[34585]: Failed keyboard-interactive/pam for invalid user postgres from 212.77.187.249 port 13858 ssh2
Jun 18 12:26:25 dual sshd[34588]: Invalid user postgres from 90.177.114.168
Jun 18 12:26:25 dual sshd[34588]: error: PAM: authentication error for illegal user postgres from 90.177.114.168
Jun 18 12:26:25 dual sshd[34588]: Failed keyboard-interactive/pam for invalid user postgres from 90.177.114.168 port 11530 ssh2
Jun 18 12:28:15 dual sshd[34593]: Invalid user postgres from 115.168.71.84
Jun 18 12:28:16 dual sshd[34593]: error: PAM: authentication error for illegal user postgres from 115.168.71.84
Jun 18 12:28:16 dual sshd[34593]: Failed keyboard-interactive/pam for invalid user postgres from 115.168.71.84 port 53004 ssh2
Jun 18 12:29:00 dual sshd[34596]: Invalid user postgres from 195.202.52.195
Jun 18 12:29:00 dual sshd[34596]: error: PAM: authentication error for illegal user postgres from 195.202.52.195
Jun 18 12:29:00 dual sshd[34596]: Failed keyboard-interactive/pam for invalid user postgres from 195.202.52.195 port 43714 ssh2
Jun 18 12:30:35 dual sshd[34601]: Address 190.38.59.236 maps to 190-38-59-236.dyn.dsl.cantv.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Jun 18 12:30:35 dual sshd[34601]: Invalid user postgres from 190.38.59.236
Jun 18 12:30:36 dual sshd[34601]: error: PAM: authentication error for illegal user postgres from 190.38.59.236
Jun 18 12:30:36 dual sshd[34601]: Failed keyboard-interactive/pam for invalid user postgres from 190.38.59.236 port 63717 ssh2
Jun 18 12:32:22 dual sshd[34604]: Invalid user postgres from 58.242.3.10
Jun 18 12:32:23 dual sshd[34604]: error: PAM: authentication error for illegal user postgres from 58.242.3.10
Jun 18 12:32:23 dual sshd[34604]: Failed keyboard-interactive/pam for invalid user postgres from 58.242.3.10 port 48741 ssh2
Jun 18 12:33:44 dual sshd[34619]: Address 64.76.3.82 maps to 64-76-3-82.static.impsat.net.ar, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Jun 18 12:33:44 dual sshd[34619]: Invalid user postgres from 64.76.3.82
Jun 18 12:33:44 dual sshd[34619]: error: PAM: authentication error for illegal user postgres from 64.76.3.82
Jun 18 12:33:44 dual sshd[34619]: Failed keyboard-interactive/pam for invalid user postgres from 64.76.3.82 port 21015 ssh2
Jun 18 12:34:43 dual sshd[34622]: Address 202.106.212.231 maps to bt-212-231.bta.net.cn, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Jun 18 12:34:43 dual sshd[34622]: Invalid user postgres from 202.106.212.231
Jun 18 12:34:44 dual sshd[34622]: error: PAM: authentication error for illegal user postgres from 202.106.212.231
Jun 18 12:34:44 dual sshd[34622]: Failed keyboard-interactive/pam for invalid user postgres from 202.106.212.231 port 49820 ssh2
Jun 18 12:35:49 dual sshd[34627]: Invalid user postgres from 86.57.250.137
Jun 18 12:35:49 dual sshd[34627]: error: PAM: authentication error for illegal user postgres from 86.57.250.137
Jun 18 12:35:49 dual sshd[34627]: Failed keyboard-interactive/pam for invalid user postgres from 86.57.250.137 port 25337 ssh2
Jun 18 12:37:38 dual sshd[34630]: Invalid user postgres from 218.83.164.51
Jun 18 12:37:39 dual sshd[34630]: error: PAM: authentication error for illegal user postgres from 218.83.164.51
Jun 18 12:37:39 dual sshd[34630]: Failed keyboard-interactive/pam for invalid user postgres from 218.83.164.51 port 50120 ssh2
Jun 18 12:38:49 dual sshd[34633]: Address 217.37.71.209 maps to mail.pmasonengltd.co.uk, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Jun 18 12:38:49 dual sshd[34633]: Invalid user postgres from 217.37.71.209
Jun 18 12:38:49 dual sshd[34633]: error: PAM: authentication error for illegal user postgres from 217.37.71.209
Jun 18 12:38:49 dual sshd[34633]: Failed keyboard-interactive/pam for invalid user postgres from 217.37.71.209 port 42717 ssh2
Jun 18 12:40:19 dual sshd[34638]: reverse mapping checking getaddrinfo for 130.226.55.116.broad.km.yn.dynamic.163data.com.cn [116.55.226.130] failed - POSSIBLE BREAK-IN ATTEMPT!
Jun 18 12:40:19 dual sshd[34638]: Invalid user postgres from 116.55.226.130
Jun 18 12:40:20 dual sshd[34638]: error: PAM: authentication error for illegal user postgres from 116.55.226.130
Jun 18 12:40:20 dual sshd[34638]: Failed keyboard-interactive/pam for invalid user postgres from 116.55.226.130 port 11309 ssh2
Jun 18 12:41:53 dual sshd[34641]: Invalid user postgres from 218.83.164.34
Jun 18 12:41:53 dual sshd[34641]: error: PAM: authentication error for illegal user postgres from 218.83.164.34
Jun 18 12:41:53 dual sshd[34641]: Failed keyboard-interactive/pam for invalid user postgres from 218.83.164.34 port 49741 ssh2
Jun 18 12:43:13 dual sshd[34644]: Invalid user postgres from 80.237.148.117
Jun 18 12:43:13 dual sshd[34644]: error: PAM: authentication error for illegal user postgres from 80.237.148.117
Jun 18 12:43:13 dual sshd[34644]: Failed keyboard-interactive/pam for invalid user postgres from 80.237.148.117 port 37748 ssh2
Jun 18 12:44:47 dual sshd[34659]: Invalid user postgres from 86.62.121.35
Jun 18 12:44:47 dual sshd[34659]: error: PAM: authentication error for illegal user postgres from 86.62.121.35
Jun 18 12:44:47 dual sshd[34659]: Failed keyboard-interactive/pam for invalid user postgres from 86.62.121.35 port 60741 ssh2
Jun 18 12:45:54 dual sshd[34664]: Invalid user postgres from 221.11.1.82
Jun 18 12:45:54 dual sshd[34664]: error: PAM: authentication error for illegal user postgres from 221.11.1.82
Jun 18 12:45:54 dual sshd[34664]: Failed keyboard-interactive/pam for invalid user postgres from 221.11.1.82 port 50854 ssh2
Jun 18 12:47:09 dual sshd[34667]: Invalid user postgres from 195.14.240.58
Jun 18 12:47:09 dual sshd[34667]: error: PAM: authentication error for illegal user postgres from 195.14.240.58
Jun 18 12:47:09 dual sshd[34667]: Failed keyboard-interactive/pam for invalid user postgres from 195.14.240.58 port 37184 ssh2
Jun 18 12:48:58 dual sshd[34670]: Invalid user postgres from 61.29.122.37
Jun 18 12:48:58 dual sshd[34670]: error: PAM: authentication error for illegal user postgres from shotz.com.au
Jun 18 12:48:58 dual sshd[34670]: Failed keyboard-interactive/pam for invalid user postgres from 61.29.122.37 port 60533 ssh2
Jun 18 12:50:33 dual sshd[34675]: Invalid user postgres from 190.96.169.218
Jun 18 12:50:33 dual sshd[34675]: error: PAM: authentication error for illegal user postgres from 190.96.169.218
Jun 18 12:50:33 dual sshd[34675]: Failed keyboard-interactive/pam for invalid user postgres from 190.96.169.218 port 33087 ssh2
Jun 18 12:51:32 dual sshd[34678]: Invalid user postgres from 58.223.246.2
Jun 18 12:51:33 dual sshd[34678]: error: PAM: authentication error for illegal user postgres from 58.223.246.2
Jun 18 12:51:33 dual sshd[34678]: Failed keyboard-interactive/pam for invalid user postgres from 58.223.246.2 port 41633 ssh2
Jun 18 12:53:25 dual sshd[34681]: Invalid user postgres from 84.201.244.19
Jun 18 12:53:25 dual sshd[34681]: error: PAM: authentication error for illegal user postgres from gw1.elewise.com
Jun 18 12:53:25 dual sshd[34681]: Failed keyboard-interactive/pam for invalid user postgres from 84.201.244.19 port 50343 ssh2
Jun 18 12:54:48 dual sshd[34684]: Invalid user postgres from 61.139.142.20
Jun 18 12:54:48 dual sshd[34684]: error: PAM: authentication error for illegal user postgres from 61.139.142.20
Jun 18 12:54:48 dual sshd[34684]: Failed keyboard-interactive/pam for invalid user postgres from 61.139.142.20 port 62375 ssh2
Jun 18 12:55:47 dual sshd[34701]: Invalid user postgres from 81.89.94.158
Jun 18 12:55:48 dual sshd[34701]: error: PAM: authentication error for illegal user postgres from 81.89.94.158
Jun 18 12:55:48 dual sshd[34701]: Failed keyboard-interactive/pam for invalid user postgres from 81.89.94.158 port 16852 ssh2
Jun 18 12:57:09 dual sshd[34706]: Invalid user postgres from 82.94.31.132
Jun 18 12:57:09 dual sshd[34706]: error: PAM: authentication error for illegal user postgres from 82.94.31.132
Jun 18 12:57:09 dual sshd[34706]: Failed keyboard-interactive/pam for invalid user postgres from 82.94.31.132 port 45411 ssh2
Jun 18 12:58:50 dual sshd[34709]: Invalid user postgres from 12.193.124.59
Jun 18 12:58:51 dual sshd[34709]: error: PAM: authentication error for illegal user postgres from 12.193.124.59
Jun 18 12:58:51 dual sshd[34709]: Failed keyboard-interactive/pam for invalid user postgres from 12.193.124.59 port 11135 ssh2
Jun 18 13:01:03 dual sshd[34728]: Invalid user postgres from 62.103.21.246
Jun 18 13:01:03 dual sshd[34728]: error: PAM: authentication error for illegal user postgres from serial.sense.gr
Jun 18 13:01:03 dual sshd[34728]: Failed keyboard-interactive/pam for invalid user postgres from 62.103.21.246 port 48827 ssh2
Jun 18 13:01:37 dual sshd[34731]: Invalid user postgres from 194.210.66.196
Jun 18 13:01:37 dual sshd[34731]: error: PAM: authentication error for illegal user postgres from 194.210.66.196
Jun 18 13:01:37 dual sshd[34731]: Failed keyboard-interactive/pam for invalid user postgres from 194.210.66.196 port 36175 ssh2
Jun 18 13:03:44 dual sshd[34734]: Accepted keyboard-interactive/pam for robert from 85.144.145.49 port 23616 ssh2
Jun 18 13:05:05 dual sshd[34746]: Accepted keyboard-interactive/pam for robert from 85.144.145.49 port 23624 ssh2
Jun 18 13:05:05 dual sshd[34749]: subsystem request for sftp
Jun 18 13:05:34 dual sshd[34751]: Invalid user postmaster from 201.26.202.251
Jun 18 13:05:35 dual sshd[34751]: error: PAM: authentication error for illegal user postmaster from 201.26.202.251
Jun 18 13:05:35 dual sshd[34751]: Failed keyboard-interactive/pam for invalid user postmaster from 201.26.202.251 port 34437 ssh2
Jun 18 13:07:09 dual sshd[34754]: Invalid user postmaster from 220.73.173.2
Jun 18 13:07:09 dual sshd[34754]: error: PAM: authentication error for illegal user postmaster from 220.73.173.2
Jun 18 13:07:09 dual sshd[34754]: Failed keyboard-interactive/pam for invalid user postmaster from 220.73.173.2 port 35828 ssh2
Jun 18 13:08:57 dual sshd[34757]: Invalid user power from 218.24.110.146
Jun 18 13:08:58 dual sshd[34757]: error: PAM: authentication error for illegal user power from 218.24.110.146
Jun 18 13:08:58 dual sshd[34757]: Failed keyboard-interactive/pam for invalid user power from 218.24.110.146 port 43949 ssh2
Jun 18 13:09:56 dual sshd[34760]: Invalid user pp from 211.138.156.10
Jun 18 13:09:56 dual sshd[34760]: error: PAM: authentication error for illegal user pp from 211.138.156.10
Jun 18 13:09:56 dual sshd[34760]: Failed keyboard-interactive/pam for invalid user pp from 211.138.156.10 port 40174 ssh2
Jun 18 13:11:31 dual sshd[34777]: Invalid user ppp from 211.143.113.2
Jun 18 13:11:31 dual sshd[34777]: error: PAM: authentication error for illegal user ppp from 211.143.113.2
Jun 18 13:11:31 dual sshd[34777]: Failed keyboard-interactive/pam for invalid user ppp from 211.143.113.2 port 55178 ssh2
Jun 18 13:12:24 dual sshd[34780]: Invalid user pr from 190.58.158.12
Jun 18 13:12:24 dual sshd[34780]: error: PAM: authentication error for illegal user pr from 190.58.158.12
Jun 18 13:12:24 dual sshd[34780]: Failed keyboard-interactive/pam for invalid user pr from 190.58.158.12 port 53898 ssh2
Jun 18 13:13:49 dual sshd[34784]: Invalid user press from 80.153.220.193
Jun 18 13:13:49 dual sshd[34784]: error: PAM: authentication error for illegal user press from 80.153.220.193
Jun 18 13:13:49 dual sshd[34784]: Failed keyboard-interactive/pam for invalid user press from 80.153.220.193 port 59046 ssh2
Jun 18 13:15:36 dual sshd[34793]: reverse mapping checking getaddrinfo for 158.208.6.200.intelnet.net.gt [200.6.208.158] failed - POSSIBLE BREAK-IN ATTEMPT!
Jun 18 13:15:36 dual sshd[34793]: Invalid user prestat from 200.6.208.158
Jun 18 13:15:36 dual sshd[34793]: error: PAM: authentication error for illegal user prestat from 200.6.208.158
Jun 18 13:15:36 dual sshd[34793]: Failed keyboard-interactive/pam for invalid user prestat from 200.6.208.158 port 50568 ssh2
Jun 18 13:16:31 dual sshd[34796]: Invalid user presto from 62.225.98.6
Jun 18 13:16:31 dual sshd[34796]: error: PAM: authentication error for illegal user presto from 62.225.98.6
Jun 18 13:16:31 dual sshd[34796]: Failed keyboard-interactive/pam for invalid user presto from 62.225.98.6 port 43770 ssh2
Jun 18 13:18:25 dual sshd[34900]: Address 69.59.129.2 maps to 69.59.129.2.servepath.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Jun 18 13:18:25 dual sshd[34900]: Invalid user print from 69.59.129.2
Jun 18 13:18:25 dual sshd[34900]: error: PAM: authentication error for illegal user print from 69.59.129.2
Jun 18 13:18:25 dual sshd[34900]: Failed keyboard-interactive/pam for invalid user print from 69.59.129.2 port 34289 ssh2
Jun 18 13:19:24 dual sshd[35003]: Invalid user private from 86.58.149.70
Jun 18 13:19:24 dual sshd[35003]: error: PAM: authentication error for illegal user private from 86.58.149.70
Jun 18 13:19:24 dual sshd[35003]: Failed keyboard-interactive/pam for invalid user private from 86.58.149.70 port 55807 ssh2
Jun 18 13:21:18 dual sshd[35008]: Invalid user pro from 222.221.12.89
Jun 18 13:21:19 dual sshd[35008]: error: PAM: authentication error for illegal user pro from 222.221.12.89
Jun 18 13:21:19 dual sshd[35008]: Failed keyboard-interactive/pam for invalid user pro from 222.221.12.89 port 55182 ssh2
Jun 18 13:22:23 dual sshd[35325]: Invalid user probe from 80.153.220.193
Jun 18 13:22:23 dual sshd[35325]: error: PAM: authentication error for illegal user probe from 80.153.220.193
Jun 18 13:22:23 dual sshd[35325]: Failed keyboard-interactive/pam for invalid user probe from 80.153.220.193 port 58296 ssh2
Jun 18 13:23:44 dual su: robert to root on /dev/ttyv0
Jun 18 13:23:52 dual sshd[35533]: Address 196.41.3.246 maps to erbec.datapro.co.za, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Jun 18 13:23:52 dual sshd[35533]: Invalid user prod from 196.41.3.246
Jun 18 13:23:53 dual sshd[35533]: error: PAM: authentication error for illegal user prod from 196.41.3.246
Jun 18 13:23:53 dual sshd[35533]: Failed keyboard-interactive/pam for invalid user prod from 196.41.3.246 port 10046 ssh2
Jun 18 13:25:11 dual sshd[39802]: Invalid user production from 83.13.138.178
Jun 18 13:25:12 dual sshd[39802]: error: PAM: authentication error for illegal user production from 83.13.138.178
Jun 18 13:25:12 dual sshd[39802]: Failed keyboard-interactive/pam for invalid user production from 83.13.138.178 port 48473 ssh2
Jun 18 13:28:42 dual sshd[50583]: Invalid user profile from 93.153.215.26
Jun 18 13:28:42 dual sshd[50583]: error: PAM: authentication error for illegal user profile from 93.153.215.26
Jun 18 13:28:42 dual sshd[50583]: Failed keyboard-interactive/pam for invalid user profile from 93.153.215.26 port 8550 ssh2
Jun 18 13:30:32 dual sshd[50588]: Invalid user profit from 79.188.238.50
Jun 18 13:30:33 dual sshd[50588]: error: PAM: authentication error for illegal user profit from 79.188.238.50
Jun 18 13:30:33 dual sshd[50588]: Failed keyboard-interactive/pam for invalid user profit from 79.188.238.50 port 41616 ssh2
Jun 18 13:31:12 dual sshd[50591]: Address 211.232.103.215 maps to static.211-232-103-215.nexg.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Jun 18 13:31:12 dual sshd[50591]: Invalid user programs from 211.232.103.215
Jun 18 13:31:13 dual sshd[50591]: error: PAM: authentication error for illegal user programs from 211.232.103.215
Jun 18 13:31:13 dual sshd[50591]: Failed keyboard-interactive/pam for invalid user programs from 211.232.103.215 port 51980 ssh2
Jun 18 13:32:12 dual sshd[50594]: Invalid user proj from 89.96.140.154
Jun 18 13:32:12 dual sshd[50594]: error: PAM: authentication error for illegal user proj from 89.96.140.154
Jun 18 13:32:12 dual sshd[50594]: Failed keyboard-interactive/pam for invalid user proj from 89.96.140.154 port 56910 ssh2
Jun 18 13:33:31 dual sshd[50609]: Invalid user projects from 200.21.228.80
Jun 18 13:33:31 dual sshd[50609]: error: PAM: authentication error for illegal user projects from 200.21.228.80
Jun 18 13:33:31 dual sshd[50609]: Failed keyboard-interactive/pam for invalid user projects from 200.21.228.80 port 19205 ssh2
Jun 18 13:35:23 dual sshd[50614]: Invalid user projetos from 140.239.151.227
Jun 18 13:35:24 dual sshd[50614]: error: PAM: authentication error for illegal user projetos from 140.239.151.227
Jun 18 13:35:24 dual sshd[50614]: Failed keyboard-interactive/pam for invalid user projetos from 140.239.151.227 port 38488 ssh2
Jun 18 13:36:54 dual sshd[50617]: Invalid user promocao from 85.207.158.25
Jun 18 13:36:54 dual sshd[50617]: error: PAM: authentication error for illegal user promocao from 85.207.158.25
Jun 18 13:36:54 dual sshd[50617]: Failed keyboard-interactive/pam for invalid user promocao from 85.207.158.25 port 24744 ssh2
Jun 18 13:37:48 dual sshd[50620]: Address 190.38.59.236 maps to 190-38-59-236.dyn.dsl.cantv.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Jun 18 13:37:48 dual sshd[50620]: Invalid user property from 190.38.59.236
Jun 18 13:37:48 dual sshd[50620]: error: PAM: authentication error for illegal user property from 190.38.59.236
Jun 18 13:37:48 dual sshd[50620]: Failed keyboard-interactive/pam for invalid user property from 190.38.59.236 port 62497 ssh2
Jun 18 13:39:30 dual sshd[50623]: Address 190.12.5.78 maps to corp-190-12-5-78-cue.puntonet.ec, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Jun 18 13:39:30 dual sshd[50623]: Invalid user prova from 190.12.5.78
Jun 18 13:39:30 dual sshd[50623]: error: PAM: authentication error for illegal user prova from 190.12.5.78
Jun 18 13:39:30 dual sshd[50623]: Failed keyboard-interactive/pam for invalid user prova from 190.12.5.78 port 53356 ssh2
Jun 18 13:40:56 dual sshd[50628]: Invalid user prova from 85.18.102.233
Jun 18 13:40:56 dual sshd[50628]: error: PAM: authentication error for illegal user prova from 85.18.102.233
Jun 18 13:40:56 dual sshd[50628]: Failed keyboard-interactive/pam for invalid user prova from 85.18.102.233 port 32966 ssh2
Jun 18 13:42:52 dual sshd[50631]: User proxy from 125.72.248.71 not allowed because not listed in AllowUsers
Jun 18 13:42:53 dual sshd[50631]: error: PAM: authentication error for illegal user proxy from 125.72.248.71
Jun 18 13:42:53 dual sshd[50631]: Failed keyboard-interactive/pam for invalid user proxy from 125.72.248.71 port 55468 ssh2
Jun 18 13:44:01 dual sshd[50634]: User proxy from 218.206.219.130 not allowed because not listed in AllowUsers
Jun 18 13:44:02 dual sshd[50634]: error: PAM: authentication error for illegal user proxy from 218.206.219.130
Jun 18 13:44:02 dual sshd[50634]: Failed keyboard-interactive/pam for invalid user proxy from 218.206.219.130 port 52065 ssh2
Jun 18 13:45:22 dual sshd[50651]: Invalid user prueba1 from 190.253.220.98
Jun 18 13:45:22 dual sshd[50651]: error: PAM: authentication error for illegal user prueba1 from 190.253.220.98
Jun 18 13:45:22 dual sshd[50651]: Failed keyboard-interactive/pam for invalid user prueba1 from 190.253.220.98 port 41859 ssh2
Jun 18 13:47:07 dual sshd[50654]: Invalid user prueba2 from 204.193.6.21
Jun 18 13:47:07 dual sshd[50654]: error: PAM: authentication error for illegal user prueba2 from 204.193.6.21
Jun 18 13:47:07 dual sshd[50654]: Failed keyboard-interactive/pam for invalid user prueba2 from 204.193.6.21 port 56648 ssh2
Jun 18 13:49:22 dual sshd[50657]: Invalid user prueba from 79.34.45.61
Jun 18 13:49:22 dual sshd[50657]: error: PAM: authentication error for illegal user prueba from 79.34.45.61
Jun 18 13:49:22 dual sshd[50657]: Failed keyboard-interactive/pam for invalid user prueba from 79.34.45.61 port 59619 ssh2
Jun 18 13:49:34 dual sshd[50660]: Address 200.232.120.201 maps to mail.kasinski.com.br, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Jun 18 13:49:34 dual sshd[50660]: Invalid user prueba from 200.232.120.201
Jun 18 13:49:34 dual sshd[50660]: error: PAM: authentication error for illegal user prueba from 200.232.120.201
Jun 18 13:49:34 dual sshd[50660]: Failed keyboard-interactive/pam for invalid user prueba from 200.232.120.201 port 44913 ssh2
Jun 18 13:51:30 dual sshd[50665]: Invalid user prueba from 201.24.215.217
Jun 18 13:51:30 dual sshd[50665]: error: PAM: authentication error for illegal user prueba from 201.24.215.217
Jun 18 13:51:30 dual sshd[50665]: Failed keyboard-interactive/pam for invalid user prueba from 201.24.215.217 port 60380 ssh2
Jun 18 13:52:18 dual sshd[50668]: Invalid user prueba from 201.236.221.162
Jun 18 13:52:19 dual sshd[50668]: error: PAM: authentication error for illegal user prueba from 201.236.221.162
Jun 18 13:52:19 dual sshd[50668]: Failed keyboard-interactive/pam for invalid user prueba from 201.236.221.162 port 39638 ssh2
Jun 18 13:54:32 dual sshd[50671]: Invalid user prueba from 58.60.146.5
Jun 18 13:54:32 dual sshd[50671]: error: PAM: authentication error for illegal user prueba from 58.60.146.5
Jun 18 13:54:32 dual sshd[50671]: Failed keyboard-interactive/pam for invalid user prueba from 58.60.146.5 port 33231 ssh2
Jun 18 13:55:04 dual sshd[50691]: Invalid user prueba from 211.100.49.195
Jun 18 13:55:05 dual sshd[50691]: error: PAM: authentication error for illegal user prueba from 211.100.49.195
Jun 18 13:55:05 dual sshd[50691]: Failed keyboard-interactive/pam for invalid user prueba from 211.100.49.195 port 37644 ssh2
Jun 18 13:56:47 dual sshd[50702]: Invalid user prueba from 82.245.104.128
Jun 18 13:56:47 dual sshd[50702]: error: PAM: authentication error for illegal user prueba from 82.245.104.128
Jun 18 13:56:47 dual sshd[50702]: Failed keyboard-interactive/pam for invalid user prueba from 82.245.104.128 port 34325 ssh2
Jun 18 13:57:54 dual sshd[50705]: Invalid user pruebas from 88.79.143.68
Jun 18 13:57:54 dual sshd[50705]: error: PAM: authentication error for illegal user pruebas from 88.79.143.68
Jun 18 13:57:54 dual sshd[50705]: Failed keyboard-interactive/pam for invalid user pruebas from 88.79.143.68 port 29678 ssh2
Jun 18 13:59:20 dual su: robert to root on /dev/ttyv0
Jun 18 14:01:08 dual sshd[50832]: Invalid user psk from 80.90.118.21
Jun 18 14:01:08 dual sshd[50832]: error: PAM: authentication error for illegal user psk from 80.90.118.21
Jun 18 14:01:08 dual sshd[50832]: Failed keyboard-interactive/pam for invalid user psk from 80.90.118.21 port 31918 ssh2
Jun 18 14:02:16 dual sshd[50836]: Address 200.119.132.115 maps to ip-gt.200.119.132.115.telefonica-ca.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Jun 18 14:02:16 dual sshd[50836]: Invalid user psybnc from 200.119.132.115
Jun 18 14:02:16 dual sshd[50836]: error: PAM: authentication error for illegal user psybnc from 200.119.132.115
Jun 18 14:02:16 dual sshd[50836]: Failed keyboard-interactive/pam for invalid user psybnc from 200.119.132.115 port 43398 ssh2
Jun 18 14:04:28 dual sshd[50839]: Invalid user abcd from 190.170.2.1
Jun 18 14:04:30 dual sshd[50842]: User root from 190.170.2.1 not allowed because not listed in AllowUsers
Jun 18 14:05:19 dual sshd[50848]: Invalid user pub from 117.40.138.154
Jun 18 14:05:19 dual sshd[50848]: error: PAM: authentication error for illegal user pub from 117.40.138.154
Jun 18 14:05:19 dual sshd[50848]: Failed keyboard-interactive/pam for invalid user pub from 117.40.138.154 port 3209 ssh2

I looked at this and especially the way they seem to try different usernames (not fully random though) is quite clever. The postgres user they tried, worried me at first but fortunately I realized that postgres wasn't running on that server. I have configured the AllowUser directive in sshd_config and it only contains 2 usernames which can log in from sshd remotely.

Another "line of defence" is my pf firewall config which has the following in it:

pass in proto tcp from any to any port ssh keep state (max-src-conn 3, max-src-conn-rate 2/30, overload <bruteforce> flush global)

However, almost none of the ip-addresses above end up in that bruteforce table. 

Now my questions are:
1) why doesn't ip-address 190.38.59.236 for instance isn't triggered by my pf rule? Is that because this connection stays within the limits? Should I change that, but then again, considering the attack rate....what values would be suitable?
2) are there other things I could do?

Brgds
Dino

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?367428.93212.qm>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation