A practical example, real life, last night. I was replacing my hard drive on my home broadband OBSD firewall, and it was taking a few minutes to copy over the old pf.conf and enable the firewall. I had installed the latest snapshot as a fresh image and restarted. It took a little while to set up the local networks, and I was connected to the Internet, so I could download packages.
I copied over the pf.conf from my backup host and enabled it, not thinking much more about it. Then this morning I looked at /var/log/authlog to see stuff like this: Jan 9 18:00:01 home-fw newsyslog[6065]: logfile turned over Jan 9 18:03:03 home-fw sshd[29544]: Invalid user andrew from 125.16.26.123 Jan 9 18:03:03 home-fw sshd[240]: input_userauth_request: invalid user andrew Jan 9 18:03:03 home-fw sshd[29544]: Failed password for invalid user andrew from 125.16.26.123 port 52447 ssh2 Jan 9 18:03:03 home-fw sshd[240]: Received disconnect from 125.16.26.123: 11: Bye Bye Jan 9 18:03:06 home-fw sshd[19514]: Invalid user adam from 125.16.26.123 Jan 9 18:03:06 home-fw sshd[15864]: input_userauth_request: invalid user adam Jan 9 18:03:06 home-fw sshd[19514]: Failed password for invalid user adam from 125.16.26.123 port 52651 ssh2 Jan 9 18:03:06 home-fw sshd[15864]: Received disconnect from 125.16.26.123: 11: Bye Bye Jan 9 18:03:08 home-fw sshd[18110]: Invalid user trial from 125.16.26.123 Jan 9 18:03:08 home-fw sshd[22493]: input_userauth_request: invalid user trial Jan 9 18:03:09 home-fw sshd[18110]: Failed password for invalid user trial from 125.16.26.123 port 52821 ssh2 Jan 9 18:03:09 home-fw sshd[22493]: Received disconnect from 125.16.26.123: 11: Bye Bye Jan 9 18:03:11 home-fw sshd[20596]: Invalid user calendar from 125.16.26.123 Jan 9 18:03:11 home-fw sshd[8582]: input_userauth_request: invalid user calendar Jan 9 18:03:11 home-fw sshd[20596]: Failed password for invalid user calendar from 125.16.26.123 port 53011 ssh2 Jan 9 18:03:12 home-fw sshd[8582]: Received disconnect from 125.16.26.123: 11: Bye Bye Jan 9 18:03:14 home-fw sshd[22151]: Invalid user poq from 125.16.26.123 Jan 9 18:03:14 home-fw sshd[17137]: input_userauth_request: invalid user poq Jan 9 18:03:14 home-fw sshd[22151]: Failed password for invalid user poq from 125.16.26.123 port 53199 ssh2 I never see anything like that, since my pf rules only allow me to ssh back to home from my work IP range. In the space of about 15 minutes before I enabled pf all of the following users were tried, probably by an automated script: Aaliyah Aaron Aba Abel Exit Jewel Zmeu Zmeu adam adam add adm admin admin admin admin admin admin admin admins admins adrian alan alex alin alina alinus amanda andrei andrew angel apache aron at backup bnc bran brett cafe calendar cap cgi ch cmd com danny data david dulap fernando fluffy ftp games george get guest guest hacker haxor hk http httpd hy id ident if info info internet irc is it john kathi kayten ldap library linux lp luis mail mail mailman master max michael michael michi mikael mike mike mysql mysql net network news news nick octavio open oper oracle org party paul paul pe pgsql pgsql pl play poq postfix postmaster print psybnc radu resin rex richard richard robert rpm sales samba sara search sef sex sgi sharon shell shell shop squid ssh stan station stef stephen steven sunny sunsun susan suva suzuki tavi technicom telnet test test test test test trial trib uk unix unseen us user user username username users web webadmin webmaster webmaster webpop word www-data wwwrun wwwrun yahoo za What a cesspool the internet is! Good passwords, limit access to where it is necessary, and run an ironclad OS. Thanks for making it all possible.
