Question about entry in auth.log

Jeremy Chadwick koitsu at
Fri Nov 14 23:37:17 PST 2008

On Fri, Nov 14, 2008 at 10:00:13PM -0500, Lisa Casey wrote:
> Very odd. Sigh, Michael is not vacationing in Romania. Doubt he's ever  
> been there. I got rid of the michael account (it wasn't used anyway), and 
> downloaded a new copy of chkrootkit, installed it and ran it along with  
> chklastlog and chkwtmp. Nothing was found. Pehaps this was a harmless  
> enough prank? Anything else I ought to look at? Fortunately the michael  
> account did not have te ability to su to root.

The individual in Romania *was not* able to log in as michael.  The
message you saw was sshd saying "Someone's trying to SSH in as user
michael; SSH key negotiation failed, and now I'm asking them to type in
their password manually".

It's not a prank.  Shady online individuals have written scripts/tools
that repetitively beat on sshd, trying to find an account they can log
in as.  They're simply scanning for valid accounts, and they also often
try many passwords over and over (common things, such as the username as
a password).

Welcome to the Internet circa 2008.  :(

"So how do I solve this problem?"

The easiest way: change sshd to listen on a port *other* than 22.  Many
people pick 2222.  This relieves 99% of the pain, but requires you to
tell your users/co-workers/peers "My box listens on port 2222 for ssh,
not 22".

A secondary way: programs which monitor logs and add firewall block
rules when they see too many brute force attempts coming from an IP

(I think I forgot one more, but those are the main three)

| Jeremy Chadwick                                jdc at |
| Parodius Networking              |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |

More information about the freebsd-questions mailing list