Sometime in April I added port forwarding for SSH to a WGR614v5 router so that I could connect to my old crappy Evo N115 running Debian Linux from anywhere. The router is on a BigPond cable connection.

Since then a lot of people have tried to break into it. I have no idea why as it's a very old computer (from March 2002) and there is nothing at all personal or interesting on it. I use it for integer programming problems in combinatorics and for playing with Debian Linux and that's it. The first people were from the webserver www.aname.co.kr ( at ANAM Electronics in Korea, on April 26 from 11:14 to 11:45 and on April 27 from 04:46 to 05:26. They tried 482 passwords for root (the system administrator account) and 7 passwords for "guset" (they couldn't even spell "guest"!) before giving up. Shouldn't they have been working hard? Anyway it made me curious, I wondered what kind of passwords they had been trying - I read the manpage for sshd_config to see if it could log the plaintext passwords they tried, but even debug level DEBUG3 doesn't do that, so I gave up. I couldn't be bothered editing the source code to keep track of what idiots are doing.

(It also made me think again about Korea, and whether people there have more tolerance for spam than in other countries, because it used to be one of the worst spam-origin countries. Now it's dropped to 7th place on the Spamhaus list of countries. But now having been there, I think people there are just as annoyed by spam as people anywhere else.)

niavaran:/var/log# (cat auth.log auth.log.0; gzip -dc auth.log.?.gz) | grep failure | tr ' ' '\n' | grep rhost= | sort | uniq -c |sort -n
1 rhost=
1 rhost=
1 rhost=
2 rhost=
3 rhost=
6 rhost=
7 rhost=
8 rhost=
9 rhost=cpe-071-071-245-176.carolina.res.rr.com
66 rhost=
87 rhost=
144 rhost=testmail.enserg.fr
182 rhost=velos.avacom.net
489 rhost=www.aname.co.kr
654 rhost=
946 rhost=
951 rhost=
1312 rhost=59-106-15-169.r-bl100.sakura.ne.jp
4467 rhost=


Post a Comment

<< Home