Select Page

My servers have been subjected to extra ssh traffic in the last few days:

Nov 16 13:25:14 gc-blog sshd[6625]: Illegal user admin from ::ffff:[IPaddress]
Nov 16 13:25:16 gc-blog sshd[6628]: Illegal user test from ::ffff:[IPaddress]
Nov 16 13:25:19 gc-blog sshd[6631]: Illegal user guest from ::ffff:[IPaddress]
Nov 16 13:25:26 gc-blog sshd[6637]: Illegal user webmaster from ::ffff:[IPaddress]
Nov 16 13:25:36 gc-blog sshd[6645]: Illegal user oracle from ::ffff:[IPaddress]
Nov 16 13:25:38 gc-blog sshd[6647]: Illegal user library from ::ffff:[IPaddress]
Nov 16 13:25:41 gc-blog sshd[6650]: Illegal user info from ::ffff:[IPaddress]
Nov 16 13:25:43 gc-blog sshd[6653]: Illegal user shell from ::ffff:[IPaddress]
Nov 16 13:25:50 gc-blog sshd[6658]: Illegal user linux from ::ffff:[IPaddress]
Nov 16 13:25:53 gc-blog sshd[6661]: Illegal user unix from ::ffff:[IPaddress]
Nov 16 13:25:55 gc-blog sshd[6664]: Illegal user webadmin from ::ffff:[IPaddress]
Nov 16 13:26:05 gc-blog sshd[6672]: Illegal user test from ::ffff:[IPaddress]
Nov 16 13:26:09 gc-blog sshd[6678]: Illegal user admin from ::ffff:[IPaddress]

SANS also had a post – http://isc.sans.org/diary.php?storyid=846

I’m keeping an eye on behaviour – I think my sshd are configured reasonably well.