Wow, I read your email and checked my authlog and was
astounded by the number hack attempts. Thankfully, I
configured my OpenBSD firewall with recommended access
controls. Thanks to all the dedicated OpenBSD
developers and community! Support the project and
encourage the purchase of more OpenBSD CD's and direct
donations to the Foundation!
--- Ken <[EMAIL PROTECTED]> wrote:
> A practical example, real life, last night.
> I was replacing my hard drive on my home broadband
> OBSD firewall, and it was taking a few minutes
> to copy over the old pf.conf and enable the
> firewall. I had installed the latest snapshot as a
> fresh image and restarted. It took a little while
> to set up the local networks, and I was connected
> to the Internet, so I could download packages.
>
> I copied over the pf.conf from my backup host and
> enabled it, not thinking much more about it.
> Then this morning I looked at /var/log/authlog to
> see stuff like this:
>
> Jan 9 18:00:01 home-fw newsyslog[6065]: logfile
> turned over
> Jan 9 18:03:03 home-fw sshd[29544]: Invalid user
> andrew from 125.16.26.123
> Jan 9 18:03:03 home-fw sshd[240]:
> input_userauth_request: invalid user andrew
> Jan 9 18:03:03 home-fw sshd[29544]: Failed password
> for invalid user andrew from 125.16.26.123 port
> 52447 ssh2
> Jan 9 18:03:03 home-fw sshd[240]: Received
> disconnect from 125.16.26.123: 11: Bye Bye
> Jan 9 18:03:06 home-fw sshd[19514]: Invalid user
> adam from 125.16.26.123
> Jan 9 18:03:06 home-fw sshd[15864]:
> input_userauth_request: invalid user adam
> Jan 9 18:03:06 home-fw sshd[19514]: Failed password
> for invalid user adam from 125.16.26.123 port 52651
> ssh2
> Jan 9 18:03:06 home-fw sshd[15864]: Received
> disconnect from 125.16.26.123: 11: Bye Bye
> Jan 9 18:03:08 home-fw sshd[18110]: Invalid user
> trial from 125.16.26.123
> Jan 9 18:03:08 home-fw sshd[22493]:
> input_userauth_request: invalid user trial
> Jan 9 18:03:09 home-fw sshd[18110]: Failed password
> for invalid user trial from 125.16.26.123 port 52821
> ssh2
> Jan 9 18:03:09 home-fw sshd[22493]: Received
> disconnect from 125.16.26.123: 11: Bye Bye
> Jan 9 18:03:11 home-fw sshd[20596]: Invalid user
> calendar from 125.16.26.123
> Jan 9 18:03:11 home-fw sshd[8582]:
> input_userauth_request: invalid user calendar
> Jan 9 18:03:11 home-fw sshd[20596]: Failed password
> for invalid user calendar from 125.16.26.123 port
> 53011 ssh2
> Jan 9 18:03:12 home-fw sshd[8582]: Received
> disconnect from 125.16.26.123: 11: Bye Bye
> Jan 9 18:03:14 home-fw sshd[22151]: Invalid user
> poq from 125.16.26.123
> Jan 9 18:03:14 home-fw sshd[17137]:
> input_userauth_request: invalid user poq
> Jan 9 18:03:14 home-fw sshd[22151]: Failed password
> for invalid user poq from 125.16.26.123 port 53199
> ssh2
>
> I never see anything like that, since my pf rules
> only allow me to ssh back to home from my work IP
> range.
>
> In the space of about 15 minutes before I enabled pf
> all of the following users were tried, probably
> by an automated script:
>
> Aaliyah Aaron Aba Abel Exit
> Jewel
> Zmeu Zmeu adam adam add
> adm
> admin admin admin admin admin
> admin
> admin admins admins adrian alan
> alex
> alin alina alinus amanda andrei
> andrew
> angel apache aron at backup
> bnc
> bran brett cafe calendar cap
> cgi
> ch cmd com danny data
> david
> dulap fernando fluffy ftp games
> george
> get guest guest hacker haxor
> hk
> http httpd hy id ident
> if
> info info internet irc is
> it
> john kathi kayten ldap library
> linux
> lp luis mail mail mailman
> master
> max michael michael michi mikael
> mike
> mike mysql mysql net network
> news
> news nick octavio open oper
> oracle
> org party paul paul pe
> pgsql
> pgsql pl play poq postfix
> postmaster
> print psybnc radu resin rex
> richard
> richard robert rpm sales samba
> sara
> search sef sex sgi sharon
> shell
> shell shop squid ssh stan
> station
> stef stephen steven sunny sunsun
> susan
> suva suzuki tavi technicom telnet
> test
> test test test test trial
> trib
> uk unix unseen us user
> user
> username username users web webadmin
> webmaster
> webmaster webpop word www-data wwwrun
> wwwrun
> yahoo za
>
> What a cesspool the internet is! Good passwords,
> limit access to where it is necessary,
> and run an ironclad OS. Thanks for making it all
> possible.
>
>
____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs
