i guess the surprising thing is that you haven't been getting these
messages for years now.  i've regularly been seeing fairly
sophisticated ssh probes with a range of accounts from a variety of
source address space. 

what's more, i've been seeing probes with plausible (non-root)
account names for a couple of years now.  OTPs are your friend.


when last we saw our hero (Saturday, Aug 07, 2004), 
 nate at refried.org was madly tapping out:
> Has anyone else been getting these messages in their logs?  It's
> mostly attempts to log in as "guest" or "test" through SSH.
> 
> On Tue, Jul 27, 2004 at 04:02:16PM -0000, logcheck at refried.org wrote:
> > Security Events
> > =-=-=-=-=-=-=-=
> > Jul 27 10:26:22 candle sshd[4246]: Failed password for illegal
> > user test from 61.109.156.5 port 3995 ssh2

{snipped - for brevity}

> On Tue, Aug 03, 2004 at 06:02:15PM -0000, logcheck at refried.org wrote:
> > Security Events
> > =-=-=-=-=-=-=-=
> > Aug  3 12:07:08 candle sshd[7004]: Failed password for illegal
> > user test from 24.100.69.192 port 54042 ssh2

{snipped - for brevity}

> On Fri, Aug 06, 2004 at 11:02:15PM -0000, logcheck at refried.org wrote:
> > Security Events
> > =-=-=-=-=-=-=-=
> > Aug  6 17:45:13 candle sshd[24181]: Failed password for illegal
> > user guest from 132.248.225.118 port 42021 ssh2

> On Sat, Aug 07, 2004 at 08:02:16AM -0000, logcheck at refried.org wrote:
> > Security Events
> > =-=-=-=-=-=-=-=
> > Aug  7 02:32:54 candle sshd[29659]: Failed password for illegal
> > user test from 61.19.212.18 port 55079 ssh2

{snipped - for brevity}


-- 
steve ulrich                       sulrich at botwerks.org
PGP: 8D0B 0EE9 E700 A6CF ABA7  AE5F 4FD4 07C9 133B FAFC

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
Help beta test TCLUG's potential new home: http://plone.mn-linux.org
Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery
tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list