[NCLUG] LogWatch
Daniel Herrington
danielh at ftc.agilent.com
Fri Apr 19 16:48:56 MDT 2002
Thanks, Michael. That was just the kind of info I was looking for. I
took your advice and upgraded to 3.1p1.
Daniel
On Fri, 19 Apr 2002 12:12:55 -0600
Michael Dwyer <mdwyer at sixthdimension.com> wrote:
> I believe this is a banner attempt to your SSHd -- that is, if you
> telnet to you own SSHd port, you will receive a banner that reports
> which version of SSHd you are running. If you then disconnect, it
> should drop a log message like this.
>
> It isn't a break-in attempt -- yet. It is the information-gathering
> phase of the break-in attempt. From viewing the SSH banner, they can
> tell if you are running one of the exploitable versions of SSH.
>
> If you /are/ running an exploitable version, expect the actual attack to
> occur in the near future...
>
> (Upgrade to OpenSSH v3.1p1)
>
> Daniel Herrington wrote:
> >
> > Should I be concerned about messages like this every few days (with a
> > different IP address given each time)? I assume this is showing an
> > attempt by someone to break into my system.
> >
> > Thanks,
> > Daniel Herrington
> >
> > ################## LogWatch 2.1.1 Begin #####################
> >
> > ---------------- Connections (secure-log) Begin -------------------
> >
> > **Unmatched Entries**
> > Apr 18 16:04:56 tomcat sshd[6797]: Did not receive identification string from 210.223.172.151.
> >
> > ----------------- Connections (secure-log) End --------------------
> >
> > ###################### LogWatch End #########################
> > _______________________________________________
> > NCLUG mailing list NCLUG at nclug.org
> >
> > To unsubscribe, subscribe, or modify your settings, go to:
> > http://www.nclug.org/mailman/listinfo/nclug
> _______________________________________________
> NCLUG mailing list NCLUG at nclug.org
>
> To unsubscribe, subscribe, or modify your settings, go to:
> http://www.nclug.org/mailman/listinfo/nclug
More information about the NCLUG
mailing list