"Phase 1: “That's odd..." During the last few
weeks, I noticed an anomaly in the authentication logs on one of my
listening posts. There were a larger than usual number of ssh login
attempts overall, a higher than usual number of attempts for
non-existent user names as well as some failures for a few that
actually exist as well...
"Phase 2: Not your run of the mill screwup, the data say
Repeated login attempts for non-existing users are nothing new (in
fact the bruteforce avoidance section is one of the more popular
parts of the PF tutorial), but I was a bit surprised to see the
attempts actually reaching this machine, which is on a local
network behind a PF gateway with a configuration that is in fact
closely related to the one in the tutorial (and the book for that
matter). Then looking at the log entries, I noticed a few more
things: The attempts are never less than a minute apart, and the
attempts from a single host are separated by much long intervals.
The full data set I extracted from the point I started noticing
those anomalies sum up to these figures can be found here, in case
you want to look at it and draw you own conclusions."
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.