View Single Post
Old 10th January 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

An example of probes from June 2009 as posted on the FreeBSD questions mailing list:
Quote:
Aug 22 00:46:21 amnesiac sshd[63107]: error: PAM: authentication error for illegal user adrian from adsl-76-193-128-193.dsl.scrm01.sbcglobal.net
Aug 22 00:46:21 amnesiac sshd[63107]: Failed keyboard-interactive/pam for invalid user adrian from 76.193.128.193 port 2901 ssh2
Aug 22 00:46:23 amnesiac sshd[63110]: error: PAM: authentication error for illegal user agfa from adsl-76-193-128-193.dsl.scrm01.sbcglobal.net
Aug 22 00:46:23 amnesiac sshd[63110]: Failed keyboard-interactive/pam for invalid user agfa from 76.193.128.193 port 3165 ssh2
Aug 22 00:46:26 amnesiac sshd[63113]: error: PAM: authentication error for illegal user agneta from adsl-76-193-128-193.dsl.scrm01.sbcglobal.net
Aug 22 00:46:26 amnesiac sshd[63113]: Failed keyboard-interactive/pam for invalid user agneta from 76.193.128.193 port 3338 ssh2
Aug 22 00:46:29 amnesiac sshd[63116]: error: PAM: authentication error for illegal user ahren from adsl-76-193-128-193.dsl.scrm01.sbcglobal.net
Aug 22 00:46:29 amnesiac sshd[63116]: Failed keyboard-interactive/pam for invalid user ahren from 76.193.128.193 port 3499 ssh2
As you see all originating from a single IP address.

A more recent log from Dec 2009
Quote:
Dec 26 18:28:13 xantippe sshd[91556]: error: PAM: authentication error
for illegal user helen from 84.246.69.21
Dec 26 18:55:08 xantippe sshd[91634]: error: PAM: authentication error
for illegal user helen from 83.211.160.211
Dec 26 19:22:05 xantippe sshd[91710]: error: PAM: authentication error
for illegal user jenny from 93.63.231.55
Dec 26 19:39:55 xantippe sshd[91744]: error: PAM: authentication error
for illegal user jenny from 211.115.234.143
Dec 26 19:49:02 xantippe sshd[91772]: error: PAM: authentication error
for illegal user jenny from 121.52.215.180
Dec 26 20:16:17 xantippe sshd[91855]: error: PAM: authentication error
for illegal user jenny from 201.82.6.7
Dec 26 20:34:22 xantippe sshd[91902]: error: PAM: authentication error
for illegal user jenny from 201.244.188.202
Dec 26 20:52:23 xantippe sshd[91943]: error: PAM: authentication error
for illegal user jenny from 116.55.226.131
Dec 26 21:01:25 xantippe sshd[91987]: error: PAM: authentication error
for illegal user jenny from 202.102.245.109
Dec 26 21:10:29 xantippe sshd[92002]: error: PAM: authentication error
for illegal user jenny from 90.182.107.194
Dec 26 21:37:41 xantippe sshd[92078]: error: PAM: authentication error
Here each address only probes one single name/password and the interval between probes is quite large.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 10th January 2010 at 07:06 PM. Reason: Added newest probes from multiple machines
Reply With Quote