[NCLUG] LogWatch

Michael Dwyer mdwyer at sixthdimension.com
Fri Apr 19 12:12:55 MDT 2002


I believe this is a banner attempt to your SSHd -- that is, if you
telnet to you own SSHd port, you will receive a banner that reports
which version of SSHd you are running.  If you then disconnect, it
should drop a log message like this.

It isn't a break-in attempt -- yet.  It is the information-gathering
phase of the break-in attempt.  From viewing the SSH banner, they can
tell if you are running one of the exploitable versions of SSH.  

If you /are/ running an exploitable version, expect the actual attack to
occur in the near future...

(Upgrade to OpenSSH v3.1p1)

Daniel Herrington wrote:
> 
> Should I be concerned about messages like this every few days (with a
> different IP address given each time)?  I assume this is showing an
> attempt by someone to break into my system.
> 
> Thanks,
> Daniel Herrington
> 
>  ################## LogWatch 2.1.1 Begin #####################
> 
>  ---------------- Connections (secure-log) Begin -------------------
> 
> **Unmatched Entries**
> Apr 18 16:04:56 tomcat sshd[6797]: Did not receive identification string from 210.223.172.151.
> 
>  ----------------- Connections (secure-log) End --------------------
> 
>  ###################### LogWatch End #########################
> _______________________________________________
> NCLUG mailing list       NCLUG at nclug.org
> 
> To unsubscribe, subscribe, or modify your settings, go to:
> http://www.nclug.org/mailman/listinfo/nclug



More information about the NCLUG mailing list