[NTLUG:Discuss] OpenSSH - Newbie Question #2

brian@pongonova.net brian at pongonova.net
Thu Jul 6 11:20:03 CDT 2006 

On Thu, Jul 06, 2006 at 07:33:22AM -0500, Terry Henderson wrote:
> I'm puzzled.
> How would they know there would be a user name of "mailtest"?

They don't.  The script kiddies use scripts that just go through a list of
usernames that might possibly generate a hit.  Here's a partial list of usernames
that pscan2 tries:

ftpuser
ftp
mysql
testuser
postgres
mailtest
sales
service
student
kevin
root
postfix
test
web
webmaster
admin
guest
gov
irc
alex

So you end up with log entries that look like this:

May  7 04:05:11 turquoise sshd[10230]: Illegal user danny from 213.141.72.42
May  7 04:05:11 turquoise sshd[10230]: Failed password for illegal user danny
from 213.141.72.42 port 1055 ssh2
May  7 04:05:12 turquoise sshd[10232]: Illegal user sharon from 213.141.72.42
May  7 04:05:12 turquoise sshd[10232]: Failed password for illegal user
sharon from 213.141.72.42 port 1115 ssh2
May  7 04:05:14 turquoise sshd[10234]: Illegal user aron from 213.141.72.42
May  7 04:05:14 turquoise sshd[10234]: Failed password for illegal user aron
from 213.141.72.42 port 1181 ssh2
May  7 04:05:15 turquoise sshd[10236]: Illegal user alex from 213.141.72.42
May  7 04:05:15 turquoise sshd[10236]: Failed password for illegal user alex
from 213.141.72.42 port 1251 ssh2
May  7 04:05:17 turquoise sshd[10238]: Illegal user brett from 213.141.72.42
May  7 04:05:17 turquoise sshd[10238]: Failed password for illegal user brett
from 213.141.72.42 port 1311 ssh2
May  7 04:05:18 turquoise sshd[10240]: Illegal user mike from 213.141.72.42
May  7 04:05:18 turquoise sshd[10240]: Failed password for illegal user mike
from 213.141.72.42 port 1365 ssh2
May  7 04:05:19 turquoise sshd[10242]: Illegal user alan from 213.141.72.42
May  7 04:05:19 turquoise sshd[10242]: Failed password for illegal user alan
from 213.141.72.42 port 1424 ssh2

Restricting by IP address, if possible, looks like a "server not responding"
error on the script kiddie side, so they go away.  I imagine changing your
sshd port as Chris suggests accomplishes the same thing.

  --Brian

More information about the Discuss mailing list