HowTo: Find SSH Hackers IP’s in a jiffy
Well I will keep this short and sweet:
Locate SSH hack attempts swiftly:
azio:/var/log# cat auth.log | grep refused
AND
azio:/var/log# zcat auth.log.*.gz | grep refused
Grabbing the unauthorised/nonexisting user attempts:
azio:/var/log# cat auth.log.0 | grep failed | awk '{print $9}'
The awk line takes out the single field on a Row Basis, its very neat if you just want user names on oneliners for later processing, evidence, personal security lists, such forth; what I have found is key, is learning from the hacker! Why not learn how they are going about their daily hacks. I.e. theres a clear balance between complacency and security, too much of ANYTHING is bad, too little of monitoring/lee-way to FIND the hacker; and sometimes that ironically will involve allowing access to certain systems. An article I withdrew about British Telecoms Clean Feed Software iconically said
“securing illegal activity on the internet is not about disallowing and blocking access, it’s also about allowing it so that you can monitor it, without monitoring an even more secret and underground movement”
A lot of you will disagree with this philosophy, I do too, believe it or not. However, I have to summise that there must be a balance, think about it, seriously just for a few moments. Think about .nl ’s open drug policy , it reduces crime, because a large section of what was “crime related activity” is monitored. To a few, this comparison might seem like madness, but its quite a true and real comparison; some people embrace the philosophy of monitor over secure and perhaps there is some very strong basis to that philosophy. Punters (or hackers in our case) may be doing things we do not want them to do, but isn’t it so much better to be in plainsight? Who knows - but its a nice philosophy. Consider not removing the only element that allows you to monitor hackers, which is an *interesting* idea.. Comments would really be appreciated.
And Finally…
I was so shocked at the response I got from my original SSH article I thought I’d publish a slightly larger list of attempted “hack” usernames on some more of my Unix boxen, here they are:
Over 2000 Hacks of Kiddie’ - and a good job they did of it too.
- !@#$%
- 007
- 1
- 111111
- 123
- 123123
- 1234
- 12345
- 123456
- 1234567
- 12345678
- 1928
- 1969
- 1q2w3e
- 50cent
- 5683
- 654321
- 666666
- 696969
- 777
- 7777
- 8675309
- 888888
- a
- a12345
- a1b2c3
- a1b2c3d4
- aaa
- aaaaaa
- Aaliyah
- aaron
- Aba
- abby
- abc
- abc123
- abcdef
- Abel
- abira
- absolut
- abuse
- access
- account
- ace
- aces
- ada
- adabas
- adabe
- adc
- add
- address
- adelina
- adeline
- adi
- adidas
- adina
- adine
- adm
- adm1
- adm2
- adm3
- adm4
- adm5
- admin
- admin01
- admin02
- admin03
- admin1
- admin2
- adminguest
- administrator
- admins
- admintest
- adminuser
- admissio
- admissions
- adornnyc
- adp
- adrian
- adriana
- adschool
- adsens10
- adsense
- adv
- adxis
- agata
- agent
- ahmed
- alain
- alan
- alaska
- albert
- alberto
- albina
- album
- alessa
- alex
- alexander
- alexandr
- alexis
- alfred
- ali
- alian
- alias
- alice
- alin
- alina
- alinus
- alissa
- alka
- allan
- allyson
- alpha
- alumni
- am
- amanda
- amavis
- amavisd
- amazon
- amber
- american
- amivaro
- amministrazione
- andi
- ando
- andra
- andrada
- andre
- andrea
- andreas
- andrei
- andrem
- andres
- andrew
- andrey
- andy
- angel
- angela
- angie
- angry
- animal
- anita
- anna
- annalisa
- anne
- annemari
- anonymous
- ant
- anthony
- antivirus
- antonio
- anvisma
- apache
- apache2
- apple
- apples
- appowner
- appserver
- aptproxy
- archie
- archive
- armande
- arnold
- aron
- arpesella
- arrobaho
- art
- arthur
- artificial
- arts
- as
- asai
- asayan
- asdf
- asdfgh
- asdfjkl
- ashley
- ASP
- ASP.NET
- astrid
- at
- athena
- atila
- august
- aussies
- austin
- auth
- auto
- autumn
- avalon
- awesome
- axel
- azure
- b
- baby
- babylon5
- badger
- bamboo
- bander
- bandit
- bank
- banking
- barbara
- Barboza
- barline
- barney
- baron
- barr
- bart
- baseball
- basf
- bash
- basketball
- basti
- batch
- batman
- battlefield
- beagle
- bears
- beatles
- beautiful
- beaver
- beavis
- belle
- ben
- benjamin
- benny
- beny
- berit
- bert
- beta
- bethnova
- betty
- biblioteca
- bigmac
- bill
- billy
- bind
- bingo
- biology
- bios
- bird
- bird33
- bitch
- biteme
- bittante
- bjorn
- black
- blackvirus
- blast
- blazer
- blenche
- blessing
- blonde
- blue
- bluebird
- bnc
- board
- bob
- bobby
- bobsteel
- bolletta
- bombik
- bond007
- bonnie
- booboo
- booger
- boogie
- book
- boomer
- bordes
- boris
- boss
- boston
- bot
- bouavista
- bouncer
- box
- bpneus
- bradley
- brady
- brambilla
- bran
- brandon
- brandy
- brazil
- bree
- brenda
- bret
- brett
- brian
- bright
- brody
- brown
- brre
- bruce
- bryan
- bryce
- bubba
- bubba1
- bubbles
- buddy
- buffy
- build
- builder
- buser
- buster
- butthead
- button
- buttons
- by
- byozko
- byshekil
- bytes
- bytmr
- ca
- caagroup
- cactus
- cafe
- caitlin
- camaro
- camera
- camtrywoodie
- canacomp
- canada
- candy
- canna
- cap
- captain
- car
- card
- carina
- carl
- carlo
- carlos
- carmen
- caro
- carole
- caroline
- carrie
- casey
- casper
- cat
- catalog
- catch22
- catherin
- catherine
- cathy
- ccc
- cecilia
- cedru
- celia
- cesar
- cgi
- ch
- chaineur
- challenge
- chance
- chantal
- chao
- char
- charity
- charles
- charlie
- charlotte
- check
- cheese
- chelsea
- chelsey
- chemistry
- chenyr
- chepurnaja
- cheryl
- cherylen
- chevrier
- chicken
- china
- chloe
- choco
- chocolate
- choil
- chr123
- chris
- chris1
- chrisq
- christian
- christin
- christoph
- chtseng
- chuck
- cindy
- cipy
- circulo
- cisco
- city
- cjohnson
- claire
- clamav
- clancy
- clark
- class
- class2004
- class2005
- claudia
- clerici
- cliente
- clinton
- clipper
- close
- cloudette
- clydie
- cmd
- coala
- coca
- cocacola
- cock
- cocolino
- codesign
- codesigndev
- coffee
- coil
- coke
- colbourne
- colin
- collins
- coltrane
- columbia
- com
- commando
- commons
- compaq
- compton
- computer
- confixx
- congo
- connect
- conner
- conrad
- contact
- conti
- contra
- control
- cooper
- cooter
- copper
- copy
- core
- corinna
- cornelia
- cosmin
- cosmos
- cosmote
- cougar
- courtney
- cousin
- cowboy
- cozma
- cozo
- cozo1
- cozo123
- cpanel
- cracker
- craig
- crawford
- credit
- cricket
- crimson
- cristina
- cruise
- crystal
- crystale
- cs
- cshore
- cssh
- cuck
- curtis
- cut
- cvs
- cvsuser
- cyan
- cyber
- cybird
- cyborg
- cyclone
- cym
- cynthia
- cyrano
- cyrus
- cyrusimap
- d
- dagmar
- daigneault
- dakota
- dale
- dallas
- damiano
- dan
- dance
- dangaard
- dani
- daniel
- danielle
- danny
- darcy
- dario
- dark
- darkblue
- daro
- darren
- darwin
- das
- data
- database
- date
- dave
- david
- david1
- davidson
- dawn
- day
- db
- db4web
- dbadmin
- dbus
- dean
- debbie
- deboer
- debra
- debug
- dedicated
- delia
- deliver
- delta
- demo
- demouser
- demutis
- denied
- denis
- denise
- dennis
- derek
- descoteaux
- design
- desktop
- deutsch
- devi
- device
- dexter
- dhana
- dharmesh
- dhcp
- diablo
- diana
- dick
- digital
- dilbert
- dima
- dimi
- dimmy
- dion
- dirk
- diskchk
- disney
- distins
- divine
- dmayer
- doc
- doctor
- dog
- dogdayca
- dogspeak
- doina
- dollars
- dolphin
- domain
- domainki
- domareal
- dominic
- dominik
- dominique
- don
- donald
- donna
- dookie
- doom
- dorms
- dorothy
- dorval
- doug
- douglas
- dovecot
- downloads
- dracar
- dragon
- dreamer
- dreams
- dt
- dttw
- duck
- duckie
- duke
- dulap
- dumbass
- dummy
- dundee
- dupons
- dvd
- ea
- eagles
- earl
- east
- ebner
- echo
- echoman
- ed
- eddie
- edgar
- edit
- edom
- edom1
- education
- edward
- edwards
- eeyore
- eggdrop
- eia
- eight
- einstein
- eismann
- eismannw
- electra
- elena
- elephant
- eleve
- elizabeth
- ella
- ellelweb
- ellen
- elvis
- ema
- emanuela
- emberton
- emcad1
- emia
- emil
- emily
- emma
- emsweb
- engineer
- english
- englishp
- enquiries
- enquiry
- enter
- entry
- enzo
- eppc
- epro
- eps1
- eric
- erica
- erika
- ernest
- eroadmin
- erricson
- esoteric
- esther
- etc
- etont
- euroalm
- eurofax
- europe
- eurosport
- eurosports
- eve
- exe
- exim
- Exit
- explorer
- export
- ezweb
- fabian
- fabris
- faith
- fakoii
- falcon
- family
- fantasti
- fantasti1
- farmer
- favreau
- fax
- fax1
- fax2
- faxbox
- faye
- fbi
- fedora
- felix
- ferari
- ferd
- fernando
- ferrari
- ffffff
- file
- filter
- fine
- fire
- firebird
- firestarter
- firewall
- firstdiv
- fish
- fisher
- fishing
- five
- fjcn
- flamingo
- flavia
- fletcher
- flip
- flipper
- flopy
- florian
- flower
- floyd
- fluffy
- fly
- fnet
- foobar
- football
- for
- ford
- form
- forum
- fountain
- four
- fox
- foxtrot
- france
- francis
- frank
- franklin
- franziska
- freak1
- fred
- freddy
- free
- freedom
- freeze
- fregio
- friday
- friend
- friends
- frj
- frodo
- frog
- froggy
- ftp1
- ftpadmin
- ftpd
- ftpftp
- ftpguest
- ftpin
- ftpout
- ftptest
- ftpuser
- ftpusr01
- fuck
- fucker
- fuckoff
- fullas
- fullservice
- fun
- g
- gabriel
- gabriell
- galaxy
- galileo
- gam
- gambit
- gamma
- gamroot
- gandalf
- garcia
- garden
- garfield
- garlic
- garnet
- garry
- gary
- gast
- gch
- genesis
- genius
- geoff
- geography
- george
- georgia
- gerard
- gerry
- gest
- get
- ggarcia
- ghent
- ghislain
- giants
- gill
- gillen
- gilles
- gimcre
- gina
- ginger
- giopre
- gizmo
- global
- goba
- godunov
- godzilla
- goforit
- gold
- goldie
- golf
- golfer
- gonzales
- goober
- goodfeel
- goodluck
- goofy
- gopher
- gordon
- gosia
- gov
- goverment
- grace
- graham
- gramet
- graphics
- grateful
- gray
- greateye
- green
- greenday
- gregory
- gregott
- grep
- grey
- groovy
- groups
- grover
- gruiz
- gs5fb1
- gtool
- guest
- guest01
- guest02
- guest03
- guest1
- guest123
- guest2
- guest3
- guestadmin
- guesttest
- guestuser
- guitar
- guiz
- guns
- hacker
- haldaemon
- halt
- hamburg
- hammer
- handy
- hanner
- hansolo
- happy
- happy1
- hardware
- hardy
- harky
- harley
- harmony
- harry
- harrypotter
- hary
- hatcher
- hate
- hauxing
- haxor
- hazel
- hccu
- heather
- hector
- heidi
- helen
- helena
- hello
- helmut
- help
- helpme
- hendrix
- henry
- herbert
- herman
- herve
- hicks
- hiena
- hk
- hobi
- hockey
- homer
- honda
- honey
- hoops
- horde
- horizon
- hornet
- horses
- horst
- hosting
- hotdog
- Hotrum
- house
- houston
- howard
- hp
- hphk
- hpjb
- hpph
- hr
- hst
- htt
- http
- httpd
- htttp
- hudson
- hugh
- hula
- hummer
- hunter
- hy
- hypo
- ian
- ianp
- IBM
- ice
- icecream
- iceman
- ics
- id
- ident
- iesse
- if
- ifconfig
- igor
- iguana
- ileana
- iloveyou
- image
- imagine
- imail
- impala
- in
- ina
- index
- india
- indiana
- indigo
- inet
- info
- info1
- info2
- info3
- info4
- info5
- infoadmin
- infoguest
- informix
- infotest
- infouser
- ingo
- ingres
- ingrid
- insane
- inside
- install
- intercon
- internet
- interview
- inweb
- ioana
- ionel
- ionela
- ionica
- iq
- ircd
- ircop
- irish
- iroman
- ironman
- is
- isabel
- isabelle
- ishida
- island
- ismail
- it
- italy
- ivory
- jaap
- jabber
- jachy
- jack
- jacobs
- jacques
- jailshell
- jake
- james
- jamison
- Janas
- jane
- janeben
- janet
- janice
- jarid
- jasmin
- jasmine
- jason
- jason1
- jasper
- jay
- jean
- jeanette
- jeanne
- jed
- jeff
- jeffrey
- jenifer
- jenni
- jennifer
- jeremy
- jermaine
- jerry
- jesse
- jessica
- jesus
- jesus1
- Jewel
- jewels
- jgarcia
- jim
- jimmy
- jinzen
- jlopez
- joana
- joanna
- joanne
- jobs
- jocelyn
- joe
- joel
- joey
- john
- jok
- joker
- jolene
- joller
- jonas
- jonathan
- jordan
- jordi
- joseph
- joshua
- jouellet
- joyce
- jtaylor
- jubilate
- judy
- julian
- julie
- julie1
- junior
- juno
- jupiter
- juro
- justice
- justin
- justin1
- jvc
- k
- k-nigauri
- kaitlin
- karen
- karl
- karol
- katherine
- kathi
- kathleen
- kathrin
- kathy
- katie
- kayten
- kazakov
- kb
- keith
- kelly
- kelly1
- kelsey
- kennedy
- kent
- kermit
- kernel
- kerri
- kevin
- kevin1
- keyboard
- kieran
- killer
- kim
- kimh
- kingfish
- kirk
- kirrio
- kitty
- kitz
- kitz1
- kitz123
- kk
- kkd
- kkk
- klaus
- kmem
- knicks
- knight
- koala
- kochiev
- komikis
- komikis1
- konforti
- konforti1
- kovic
- kozalak
- kraft
- kristy
- kritlow
- kryddbut
- ksiegowa
- ktaclan
- kurt
- kuryanov
- lab
- labbe
- laboratory
- labs
- lacrosse
- lady
- lake
- lakers
- lamas
- lamas1
- laplante
- lapshova
- laris
- larri
- larry
- larry1
- last
- lauren
- lcorbetta
- lcy
- ldap
- leave
- ledzep
- lee
- left
- Lenntioni
- leonard
- leopold
- leslie
- less
- lestat
- leticia
- letitia
- letmein
- leyener
- lg
- lib
- liberty
- library
- lili
- lincoln
- linda
- link
- linux
- lionking
- lisa
- lists
- live
- lizard
- lloyd
- lm
- lmoroni
- lnx
- loading
- loading1
- loading123
- loffi
- logan
- login
- logs
- london
- lonnie
- loonie
- lorenas
- lorenas1
- lorenas123
- lorraine
- lost
- Lou
- louise
- love
- ls
- luana
- lucas
- lucian
- luciano
- lucky
- lucky1
- lucy
- luis
- luisa
- luke
- lybrary
- lydia
- lynn
- lynx
- m
- mab
- machado
- machine
- mackenzie
- mad
- mada
- maddog
- maddy
- madison
- magazine
- magenta
- maggie
- maggiori
- magic
- mailbox
- mailftp
- maillist
- mailman
- mailnull
- mailtest
- majordom
- majordomo
- maketour
- makl
- mambo
- mamica
- manager
- mandela
- mandrake
- manfred
- mantini
- mantra
- manu
- manuel
- manuela
- marc
- marcacygba
- marcel
- marcoux
- marcus
- margaret
- maria
- marian
- marie
- marijke
- marina
- mario
- marion
- mariposa
- mark
- market
- marketing
- marko
- marlboro
- marley
- maroon
- martano
- martin
- martin1
- martina
- marty
- marvin
- mary
- maryann
- maryjane
- maryse
- masahiro
- masatoshi
- massimo
- master
- master1
- masters
- math
- mathildi
- matrix
- matt
- matte
- Matthew
- maureen
- mauzone
- maverick
- max
- maxim
- mayday
- maysoft
- mazda1
- mb
- mba
- mcedit
- mcintyem
- mdb
- mdom
- me
- meaghan
- meagher
- meble
- megaherz
- megaherz1
- megan
- melanie
- meleri
- mensuck
- menu
- mercedes
- mercury
- merlin
- metal
- metallic
- metcalfe
- mfg
- mgrueniger
- miceli
- michaela
- michel
- michele
- michi
- mickey
- micmis
- micro
- midori
- mika
- mikael
- mike
- mikey
- mikrotik
- mill
- millie
- milss
- minnie
- miolo
- mirage
- miriam
- missy
- misty
- mit
- mitch
- mitchell
- mixit
- mixit1
- mixit123
- miyabo
- mjwoh
- mkdir
- mlehmann
- mmm
- moce
- molly
- molson
- mom
- monday
- monet
- money
- money1
- moni
- monica
- monitor
- monkey
- monopoly
- mookie
- moon
- moose
- more
- morgan
- morin
- moroni
- mother
- motorola
- mountain
- mouse
- mrtg
- mrtg1
- mrtg2
- mrtg3
- ms-meble
- msg
- muffin
- muonline
- murphy
- murray
- music
- musiq
- mustang
- mv
- mwill
- my
- myra
- mysql
- nadine
- nagaoka
- nagios
- nakajima
- name
- named
- nameserver
- nance
- nancy
- naomi
- nasa
- nascar
- natale
- natalia
- natasha
- nathan
- navy
- ncc1701
- ncc1701d
- ncc1701e
- ne
- nelson
- neo
- neoway
- nesbitt
- net
- netdump
- netstat
- netware
- network
- nevada
- new
- newpass
- newsletter
- newsmagazine
- newsroom
- newuser
- newwayto
- newyork
- nfls
- nfsnobody
- nguyen
- nheen
- nhtogo
- nice
- nicholas
- nick
- nicky
- nico
- nicole
- nike
- niko
- nikoya
- nils
- nimrod
- nina
- nine
- niners
- nirtech
- nirtech1
- nirvana
- nisse
- noah
- noc
- nokia
- nologin
- none
- noprod
- normore
- north
- noseborra
- not
- nothing
- notice
- novamerican
- ns
- ntp
- nuke
- object
- ocdoo
- oconnor
- octavio
- october
- odan
- odctwd
- office
- offline
- ok
- ola
- oleg
- olga
- olive
- oliver
- olivia
- omega
- omereila
- on
- ondeleta
- one
- online
- open
- oper
- operator
- oracle
- oralcle
- orange
- org
- oriana
- orosz
- os_ta
- oscar
- ospite
- ossy
- OU812
- out
- Ovidiu
- oxana
- oxford
- pacific
- pahsiung
- painter
- palge
- pamela
- panasonic
- panel
- pangeea
- pankaj
- pantera
- papaye
- paris
- parker
- party
- pasetto
- pass
- passwd
- password
- pat
- patricia
- patrick
- paul
- pc
- pcap
- pcguest
- pe
- peace
- peaches
- peanut
- pearljam
- pedro
- pedropl
- pellegrin
- penelope
- penguin
- pentagon
- pentium
- pepe
- pepper
- pepsi
- peru
- pete
- peter
- peterk
- petunia
- pgarcia
- pgsql
- phantom
- phil
- philadelphia
- philip
- philipp
- philippe
- philly
- phish
- phoenix
- phoenix1
- photo
- photonx
- php
- phpbb
- physics
- piano
- pickle
- pico
- picture
- pierre
- piglet
- pina
- pink
- pionner
- pippo
- pit
- pizza
- pkostal
- pl
- plamondon
- planning
- play
- player
- please
- pm
- poiana
- poiuyt
- pokus
- polaris
- poohbear
- pookie
- pop
- popa3d
- popcorn
- popey
- popey1
- popey123
- porsche
- porsche911
- portal
- porter
- post
- postfix
- postgres
- postmaster
- powerhorse
- powernet
- pp
- ppp
- praga
- premar
- presiden
- prince
- princess
- printer
- project
- protocol
- prova
- ps
- pssu
- psy
- psybnc
- psycho
- pub
- pumpkin
- punkin
- purify
- purple
- PuTTYPuTTYPuTTYPuTTYPuTTYfirebird
- pwrchute
- pynn
- pyramid
- qmaill
- qmailp
- qmailq
- qmailr
- qmails
- qqq
- qtss
- quake
- quellet
- qwerty
- r
- r00t
- rabbit
- rabia
- rachel
- radiomail
- radu
- rain
- rainbow
- random
- randy
- ranger
- raphael
- rarin
- rascal
- raul
- ray1
- raymond
- rayone
- rchp
- rebecca
- rebelde
- recepcao
- recepcja
- recruit
- red
- redbul
- redbull
- reddog
- redhat
- remillard
- renata
- research
- resin
- resume
- rex
- richard
- richter
- rigamonti
- right
- rights
- robert
- roberta
- robin
- robinson
- robomail
- roces
- rock
- rocket
- rocky
- roger
- rom
- roman
- romania
- romanian
- romina
- ron
- ronald
- ronny
- ROOT
- root2
- rootadmin
- rootguest
- roottest
- rootuser
- rope
- rose
- rosebud
- rosenfeld
- roses
- rossana
- rossi
- roto
- route66
- router
- roxana
- roxanne
- roxi
- roxy
- royal
- royalking
- royli
- rpc
- rpcuser
- rpm
- rr
- rtos
- running
- russ
- rusticos
- ruthy
- ruxandra
- rvl
- ryan
- ryohei
- sabin
- sabina
- sabrina
- sad
- sadie
- sale
- sales
- salmon
- sam
- samara
- samba
- samir
- sammmas
- samson
- sandi
- sandra
- sandro
- sandy
- santillo
- sapdb
- sara
- sarah
- sarikaya
- sas
- sascha
- sasha
- sassysam
- sastrade
- satelit
- saturday
- saturn
- sauberb
- savebiz
- sb
- scan
- Schaick
- schirmi
- school
- school1
- science
- scooter
- scorpion
- scott
- sean
- search
- security
- securityagent
- sef
- select
- send
- serge
- sergei
- server
- service
- serwis
- seta
- seven
- sex
- sgi
- sgm
- sgmdev
- sh
- shadow
- shalom
- shannon
- share
- sharon
- shebamn
- shebann
- sheena
- sheila
- shell
- shhk
- shipping
- shit
- shithead
- shop
- shopadi
- shopping
- shore
- show
- shsup
- shutdown
- shuy
- shuyu
- sid
- siemens
- sierra
- sigchi
- sigma
- sign
- silence
- silver
- sim
- simi
- simina
- simon
- simona
- simone
- simple
- simulation
- simulator
- sinja
- sinteza
- sirus
- sister
- site
- sivan
- sivan1
- sivan123
- six
- skeeter
- skiing
- skip
- skippy
- skranetcan
- skyrix
- slayzer
- slut
- smart
- smbuser
- smile
- smmsp
- smn
- smokey
- snaka
- snapple
- snoopy
- snort
- snow
- snowball
- soccer
- socta
- sofia
- solaris
- sophie
- sorin
- sorina
- sos
- sound
- sound11
- soutec
- south
- sowmow
- space
- spam
- sparc
- sparky
- sparrow
- special
- spencer
- spike
- spong
- sport
- sports
- spring
- sql
- squid
- squirrelmail
- src
- ss
- ssh
- stacey
- staff
- stahl
- stan
- stanley
- star
- startrek
- static
- station
- stealth
- steelers
- stef
- stefan
- stefana
- stephan
- stephanie
- stephen
- steve
- steven
- stewart
- stick
- stick1
- stimpy
- storm
- struf
- stuart
- student
- students
- Studio
- sty
- success
- sue
- suhodolskyi
- summer
- summers
- sun
- sunday
- suner
- sunflower
- sunny
- sunos
- sunshine
- sunsun
- superman
- suporte
- support
- sus
- susan
- susanna
- susanne
- suse
- sushi
- susi
- suva
- suzuki
- suzy
- sven
- swap
- sweetie
- sya
- sybase
- sydney
- sylvia
- syncron
- sysadmin
- system
- systuser
- szef
- taberner
- tads
- takagi
- takeall
- takemasa
- tamara
- tami
- tammy
- tanabe
- tanja
- tanya
- tar
- tara
- tatyana
- Taurus
- tavi
- taylor
- teacher
- tear
- tech
- technic
- technicom
- technik
- techno
- technology
- telecom
- telnet
- telnetd
- temp
- temporary
- ten
- tennis
- teresa
- teresavd
- termopan
- terry
- test
- test01
- test02
- test03
- test1
- test11
- test123
- test2
- test3
- testadmin
- testbox
- teste
- tester
- testftp
- testguest
- testing
- testuser
- text
- tgz
- theo
- theresa
- Therese
- thomas
- three
- thunderbird
- thursday
- thx1138
- tiger
- tigers
- tigger
- tim
- tina
- tinicka
- tino
- tip
- tir
- tiziana
- tlent
- tm
- tma
- tmp
- tmrl
- to
- tobaldo
- tobi
- toddste
- togo
- tokend
- tom
- tomadmin
- tomaso
- tomato
- tomcat
- tomcat4
- tommy
- tomoko
- tonses
- tony
- toolchain
- toor
- top
- topgun
- topic
- topliner
- toshiko
- toto
- toyota
- traci
- training
- travel
- trib
- trinity
- tristan
- trium
- troubridge
- truck
- trustno1
- ts
- tt
- ttt
- tty
- tuesday
- tutik
- two
- ubas
- uegaki
- uesrguest
- uk
- uma
- unix
- unknown
- unseen
- update
- upload
- uraganu
- urea
- ursula
- us
- usa
- user
- user10
- user12
- useradmin
- userftp
- userid
- username
- users
- usertest
- usr
- uu
- valeria
- valhalla
- van
- vcsa
- vertaf
- vertafdev
- very
- vicent
- viceroy
- vicky
- victor
- victoria
- victory
- video
- view
- vin
- vince
- violet
- viper1
- vir
- virus
- visitor
- vismara
- vladimir
- vlk
- vnc
- volkov
- volodya
- volvo
- voodoo
- vpn
- vpopmail
- vscan
- wally
- walter
- wancw
- wang
- wanker
- watson
- wayne
- wcchao
- web
- web1
- web2
- webaccount
- webadmin
- webalizer
- webcam
- webmail
- webmaster
- webpop
- webportal
- Websphere
- wednesday
- weglarzy
- welcome
- wesley
- west
- wget
- whatever
- Where
- whisky
- white
- whtest
- wilfe
- will
- william
- willie
- willpower
- wilma
- wilson
- windows
- windowserver
- winner
- winter
- wizard
- wladimir
- wolfgang
- wolman
- wolpes
- wolves
- word
- work
- workshop
- ww
- www
- www-run
- www1
- wwwdata
- wwwrun
- xd
- xenia
- xfs
- xgridagent
- xgridcontroller
- xiaolong
- xp
- xvf
- xxx
- xyz123
- yahoo
- yamagiwa
- yamami
- yanc
- yanick
- yappy
- yasuda
- year
- yellow
- yenhung
- yessi
- yhchen
- yingst
- yoko
- yolanda
- yolande
- you
- z
- za
- zandra
- zapata
- zecca
- zephyr
- zero
- ziggy
- Zmeu
- zoe
- zoliba
- zorro
- zxcvbnm
- zxvf
- zz
- zzz
andy said,
October 13, 2006 @ 9:47 pm
I use this line… Just gives me the IPs I need to throw into APF…
Oh, I should mention that this is on RHEL4
cat secure | grep Invalid | awk ‘{print $10}’ | sort -u
azio said,
October 14, 2006 @ 1:49 am
Hey andy, thanks a lot for your comment , I’ll have to have a play with sort
I’ll add it to the article tomorrow evening!
Best Wishes,
Azio
mike said,
October 14, 2006 @ 5:35 am
and if you want to stop these annoying automated attacks on your ssh server, a quick fix is to run ssh on a different port.
dude said,
October 14, 2006 @ 6:22 am
lol
PuTTYPuTTYPuTTYPuTTYPuTTYfirebird seems to stand out
JR said,
October 14, 2006 @ 6:58 am
You could also just change the SSH port in your /etc/ssh/sshd file to something a little more obscure.
josje said,
October 14, 2006 @ 7:12 am
Easy answer: http://fail2ban.sourceforge.net/wiki/index.php/Main_Page
rtyp3 said,
October 14, 2006 @ 8:35 am
heh i do the same as andy, good read tho. Also try and tweak sshd so it doesnt allow so many password tires.
Ryan said,
October 14, 2006 @ 9:07 am
You can use iptables to automatically drop traffic from IPs that make say 4 ssh attempts in 1min for 5minutes. This will cause the kiddie’s script to abort.
Christian said,
October 14, 2006 @ 9:08 am
Funny that “root” isn’t in the list. That’s the account I’d go for… :>
aaron said,
October 14, 2006 @ 9:36 am
Neat article. Try DenyHosts, it basically does the same thing but automatically forwards all sshd hackers to your hosts.deny file. See http://denyhosts.sourceforge.net/
Icheb said,
October 14, 2006 @ 10:10 am
You can find a script capable of adding iptables entries for found ssh attacks at http://blinkeye.ch/mediawiki/index.php/SSH_Blocking.
I’ve used this on a few hosts, it’s relatively easy to install, although you sometimes have to change the detection a bit (find another word, ip address being just another word…). But it runs very well ;).
Furthermore you can also change your SSH port if you hate receiving large logwatch e-mails, or you can deinstall logwatch…
Lizer said,
October 14, 2006 @ 11:10 am
I wrote two scripts that do something similar some time ago:
http://lizer.syslinx.org/temporary/failog
http://lizer.syslinx.org/temporary/lognames
Usage:
zcat /var/log/authlog*gz | cat - /var/log/authlog | ./failog [date|host]
Counts the failed logins grouped by date/attacker ip.
zcat /var/log/authlog*gz | cat - /var/log/authlog | ./lognames
Lists the login names and how often each has tried.
converter said,
October 14, 2006 @ 1:18 pm
Five point penalty for unnecessary use of cat.
zegrep refused auth.log*
cat(1) is for concatenating text files:
cat file1 file2 file3 > file4
and etc.
Most of the standard unix text processing utilities will open and read from one or more files passed on the command line (just like cat does), iterating over their lines as if they were a single file.
What’s the point? Even though the time and energy I’ve just devoted to this post may suggest otherwise, I hate unnecessary typing, and one less cat process means slightly lower resource usage.
harl said,
October 14, 2006 @ 2:39 pm
Have a look at denyhosts and forget about it: http://denyhosts.sourceforge.net/
Works out-of-the-box for most distributions.
James said,
October 14, 2006 @ 5:26 pm
Or, a better way is to to strict iptables firewall rules on rate limiting, and/or source/dest and if at all possible implement a port knocker.
Example of iptables script that drops new connections after 7 attempts in 30 seconds(this is off memory, sorry if it doesn’t work…look @ manpage for more info):
iptables -A INPUT -p tcp -m tcp –dport 22 -m state –state NEW -m recent –set –name DEFAULT –rsource
iptables -A INPUT -p tcp -m tcp –dport 22 -m state –state NEW -m recent –update –seconds 30 –hitcount 7 –name DEFAULT –rsource -j DROP
Some articles on port knocking:
http://www.ducea.com/2006/07/05/how-to-safely-connect-from-anywhere-to-your-closed-linux-firewall/
http://gentoo-wiki.com/HOWTO_autossh_and_knockd
Loren said,
October 14, 2006 @ 6:30 pm
You could also shorten that ‘awk’ command to:
awk ‘/failed/{print $9}’ /var/log/auth.log
krkosska said,
October 14, 2006 @ 9:36 pm
I firewall port 22 and use a variant of popauth to open that port to specific users when they successfully check email. Of course, the server doesn’t have to accept mail for them…
Techs Or More » HowTo: Find SSH Hackers’ IPs Fast said,
November 6, 2007 @ 4:42 pm
[...] read more | digg story [...]