[NCLUG] LogWatch
Michael Dwyer
mdwyer at sixthdimension.com
Fri Apr 19 12:12:55 MDT 2002
I believe this is a banner attempt to your SSHd -- that is, if you
telnet to you own SSHd port, you will receive a banner that reports
which version of SSHd you are running. If you then disconnect, it
should drop a log message like this.
It isn't a break-in attempt -- yet. It is the information-gathering
phase of the break-in attempt. From viewing the SSH banner, they can
tell if you are running one of the exploitable versions of SSH.
If you /are/ running an exploitable version, expect the actual attack to
occur in the near future...
(Upgrade to OpenSSH v3.1p1)
Daniel Herrington wrote:
>
> Should I be concerned about messages like this every few days (with a
> different IP address given each time)? I assume this is showing an
> attempt by someone to break into my system.
>
> Thanks,
> Daniel Herrington
>
> ################## LogWatch 2.1.1 Begin #####################
>
> ---------------- Connections (secure-log) Begin -------------------
>
> **Unmatched Entries**
> Apr 18 16:04:56 tomcat sshd[6797]: Did not receive identification string from 210.223.172.151.
>
> ----------------- Connections (secure-log) End --------------------
>
> ###################### LogWatch End #########################
> _______________________________________________
> NCLUG mailing list NCLUG at nclug.org
>
> To unsubscribe, subscribe, or modify your settings, go to:
> http://www.nclug.org/mailman/listinfo/nclug
More information about the NCLUG
mailing list