Looking for examples of network attacks, counterattacks, and protections.

James R. Van Zandt jrvz at comcast.net
Sat Sep 9 22:14:17 EDT 2006 

David -

I have a boatload of auth.log entries like this:

Sep  9 06:41:19 vanzandt CRON[27524]: (pam_unix) session closed for user root
Sep  9 06:42:20 vanzandt sshd[28685]: Did not receive identification string from ::ffff:61.95.172.140
Sep  9 06:43:01 vanzandt CRON[28686]: (pam_unix) session opened for user jrv by (uid=0)
Sep  9 06:43:03 vanzandt CRON[28686]: (pam_unix) session closed for user jrv
Sep  9 06:45:39 vanzandt sshd[28723]: Illegal user test from ::ffff:61.95.172.140
Sep  9 06:45:39 vanzandt sshd[28723]: error: Could not get shadow information for NOUSER
Sep  9 06:45:39 vanzandt sshd[28723]: Failed password for illegal user test from ::ffff:61.95.172.140 port 4212 ssh2
Sep  9 06:45:42 vanzandt sshd[28725]: Illegal user test from ::ffff:61.95.172.140
Sep  9 06:45:42 vanzandt sshd[28725]: error: Could not get shadow information for NOUSER
Sep  9 06:45:42 vanzandt sshd[28725]: Failed password for illegal user test from ::ffff:61.95.172.140 port 4340 ssh2
Sep  9 06:45:45 vanzandt sshd[28727]: Illegal user test from ::ffff:61.95.172.140
Sep  9 06:45:45 vanzandt sshd[28727]: error: Could not get shadow information for NOUSER
Sep  9 06:45:45 vanzandt sshd[28727]: Failed password for illegal user test from ::ffff:61.95.172.140 port 4477 ssh2
Sep  9 06:45:48 vanzandt sshd[28729]: Illegal user test from ::ffff:61.95.172.140
Sep  9 06:45:48 vanzandt sshd[28729]: error: Could not get shadow information for NOUSER
Sep  9 06:45:48 vanzandt sshd[28729]: Failed password for illegal user test from ::ffff:61.95.172.140 port 4583 ssh2
Sep  9 06:45:52 vanzandt sshd[28731]: Illegal user test from ::ffff:61.95.172.140
Sep  9 06:45:52 vanzandt sshd[28731]: error: Could not get shadow information for NOUSER
Sep  9 06:45:52 vanzandt sshd[28731]: Failed password for illegal user test from ::ffff:61.95.172.140 port 4792 ssh2

Your coworker is welcome to a copy of the logs if they would do any
good.  

(BTW I have "PermitRootLogin no" in /etc/sshd.conf.)

              - Jim Van Zandt


   Date: Fri, 8 Sep 2006 15:49:48 -0400 (EDT)
   From: "David Kramer" <david at thekramers.net>
   X-Priority: 3 (Normal)
   Importance: Normal
   X-BLU-MailScanner: Found to be clean, Found to be clean
   Sender: discuss-bounces at blu.org
   X-BLU-MailScanner-Information: Please contact the ISP for more information
   X-BLU-MailScanner-From: discuss-bounces at blu.org

   A coworker of mine is looing for some real-world or synthetic data of previous network
   attacks, attack patterns/types, defense strategies that nets used against
   attacks, etc. for model training/testing.  He's also interested in talking to SysAdmins
   who would be willing to talk about network security and network attacks.  This is for a
   research project.

   Anyone interested?  I'll forward your info on to him if you send it to me.

   Thanks.


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the Discuss mailing list