-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Vivek J. Patankar wrote: > One of my servers has a public interface. It is hit by ssh login > attempts on a daily basis and the count for that goes into the > thousands per week. The usernames that have been tried are root, > admin, administrator, etc. > > For the last could of weeks I have been getting a lot of login > attempts for a user called "NOUSER". There were over 12000 during > the week ending 5th August. The sources of the attempts are > geographically distributed, Norway, US, Korea, Taiwan, India, etc. > But the username is always the same, "NOUSER". I am guessing this > is some kind of worm. > > Aug 6 17:57:57 <HOSTNAME> pam_tally[28966]: pam_tally: > pam_get_uid; no such user NOUSER > > Has anybody else seen such activity or has more information about > it? Anything I should worry about? > > If it matters, the box runs an up-to-date FC6. > Just some rules: (1) If you don't use SSH outside the company or school, BLOCK it completely. There are several examples of iptable rules and firewall rules for this. (2) Keep secure passwords. This means nothing easy to guess. "password" and the like are ones to keep away from. (3) Keep an EYE on your box at all times. Actually most of the time. It looks like you already are. (4) Most distros now ship with disallowing ROOT from directly SSHing into the box. But there are also other safeguards you can do. http://www.openssh.com/ James -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGuNzXkNLDmnu1kSkRAkftAJ9raavZIFJCW0qiy/PGXgCN/TWzXwCfcfUi 9GangwjkF4pOt1UHYPBgIg0= =Ksyd -----END PGP SIGNATURE----- -- Scanned by ClamAV - http://www.clamav.net
