[H-GEN] Just been checking /var/log/secure on my home computer ...
Ewan Edwards
Edwards_Ewan_B at cat.com
Wed Sep 14 21:20:38 EDT 2005
and was wondering about the different messages in response to
attempted ssh connections. In most cases the message is "Illegal
user <userid> from ::ffff:<ipaddress>", but in some cases the message
is "User <userid> not allowed because not listed in AllowUsers". See
examples below.
My query is to do with what is sent back to the connecting client, eg:
Is there a way the connecting client (attacker) can determine if the
user ID being used is 'illegal' or 'not allowed' on the box being
attacked?
Sep 9 16:18:58 jupiter sshd[21399]: Illegal user patrick
from ::ffff:72.36.201.146
Sep 9 16:19:02 jupiter sshd[21401]: User root not allowed because not
listed in AllowUsers
BTW: It's rather interesting the range of different user IDs some of
these script kiddies try to use. One of them was using a list of
country names, one used a list of software application names. Most
just use common given names, or standard system IDs like root, bin,
adm, lp, sync, ... Administrator, guest, system, etc..
More information about the General
mailing list