Hi'ya guys, I have been seeing some strange entries in my authlog and I'm pretty sure these are ssh brake-in attempts. As far as i understand the issue, those attempts did not result in a system compromise, but anyway I really need your advice on this. Facts: ds% uname -a OpenBSD ds 2.8 GENERIC#399 i386 ds% sshd -v sshd: illegal option -- v sshd version OpenSSH_2.3.0 BTW. only protocol version 2 is allowed. Log Entries: sshd[10858]: Connection from 211.218.166.200 port 2273 sshd[10858]: Did not receive ident string from 211.218.166.200. sshd[12075]: Connection from 211.99.196.117 port 2520 sshd[12075]: Did not receive ident string from 211.99.196.117. sshd[14033]: Connection from 212.46.97.60 port 4309 sshd[14033]: Did not receive ident string from 212.46.97.60. And, there is no "Enabling compatibility mode for version 2" message which is generated whenever I log in, so those clients seem to be trying to login with protocol ver. 1. There is one more strange thing, that i started seeng roughly when the sshd fuss came out: sshd[25774]: Received disconnect: 11: All open channels closed Would someone explain what exactly this message means? Oh, and BTW. those IP's are outside my country and no trusted user has ever connected from them. Thants about all I have to say :) Any thoughts/flames/suggestions/ideas ? P.S. Please don't go into "Reinstalling everything is your only way out" It may be so, but please back your self up Thanks in advance Emo ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Dec 20 2001 - 08:14:54 PST