I have a linux box running slackware, just set up for me to mess around with. It sits behind a linksys router in a DMZ setup where i can access this pc from anywhere. I checked a log file today with access attempts and part of it contained:

Jun 30 18:55:36 tuxBox sshd[1723]: Invalid user test from 66.235.160.30
Jun 30 18:55:36 tuxBox sshd[1723]: error: Could not get shadow information for NOUSER
Jun 30 18:55:36 tuxBox sshd[1723]: Failed password for invalid user test from 66.235.160.30 port 36428 ssh2
Jun 30 18:55:37 tuxBox sshd[1726]: Invalid user guest from 66.235.160.30
Jun 30 18:55:37 tuxBox sshd[1726]: error: Could not get shadow information for NOUSER
Jun 30 18:55:37 tuxBox sshd[1726]: Failed password for invalid user guest from 66.235.160.30 port 36587 ssh2
Jun 30 18:55:37 tuxBox sshd[1729]: Invalid user admin from 66.235.160.30
Jun 30 18:55:37 tuxBox sshd[1729]: error: Could not get shadow information for NOUSER
Jun 30 18:55:37 tuxBox sshd[1729]: Failed password for invalid user admin from 66.235.160.30 port 36638 ssh2
Jun 30 18:55:38 tuxBox sshd[1732]: Invalid user admin from 66.235.160.30
Jun 30 18:55:38 tuxBox sshd[1732]: error: Could not get shadow information for NOUSER
Jun 30 18:55:38 tuxBox sshd[1732]: Failed password for invalid user admin from 66.235.160.30 port 36670 ssh2
Jun 30 18:55:39 tuxBox sshd[1735]: Invalid user user from 66.235.160.30
Jun 30 18:55:39 tuxBox sshd[1735]: error: Could not get shadow information for NOUSER
Jun 30 18:55:39 tuxBox sshd[1735]: Failed password for invalid user user from 66.235.160.30 port 36792 ssh2
Jun 30 18:55:39 tuxBox sshd[1738]: Failed password for root from 66.235.160.30 port 36906 ssh2
Jun 30 18:55:40 tuxBox sshd[1741]: Failed password for root from 66.235.160.30 port 36943 ssh2
Jun 30 18:55:40 tuxBox sshd[1744]: Failed password for root from 66.235.160.30 port 37067 ssh2
Jun 30 18:55:41 tuxBox sshd[1747]: Invalid user test from 66.235.160.30
Jun 30 18:55:41 tuxBox sshd[1747]: error: Could not get shadow information for NOUSER
Jun 30 18:55:41 tuxBox sshd[1747]: Failed password for invalid user test from 66.235.160.30 port 37107 ssh2


Ive read that someone is trying to crack in my box but i dunno if they did or not. The /var/log/wtmp file was empty. And issueing "lastlog" command doesnt contain any information about a user being logged in yesterday.

Also in the lastlog command i got all these user names:


bin **Never logged in**
daemon **Never logged in**
adm **Never logged in**
lp **Never logged in**
sync **Never logged in**
shutdown **Never logged in**
halt **Never logged in**
mail **Never logged in**
news **Never logged in**
uucp **Never logged in**
operator **Never logged in**
games **Never logged in**
ftp **Never logged in**
smmsp **Never logged in**
mysql **Never logged in**
rpc **Never logged in**
sshd **Never logged in**
gdm **Never logged in**
pop **Never logged in**
nobody **Never logged in**


can someone tell me why i have all these users? They look like something for the services, but the user nobody makes me wonder?

they are all normal users that most distros have, and yes, they are for services.

don't worry about the nobody account either, it is normal.

it doesn't look like anyone got into your box from the log you showed since they all were "failed"

And all those failures are just script kiddies trying some old (2 years or so) default information

thanks for the info, but why was /var/log/wtmp file gone? does it get deleted every month or something? Ive read that wtmp file is one of the first files they delete to cover their tracks.

i suggest you disable root access by editing the sshd_config, because someone might brute force the password. since they dont know you username, they'll have to guess the username AND the password.

also, you can run sshd with a non standard port.

i suggest you disable root access by editing the sshd_config, because someone might brute force the password. since they dont know you username, they'll have to guess the username AND the password.

also, you can run sshd with a non standard port.

great tip for reinforcing your system security.

Here's how I like to lock-down my external ssh access:

These options are in your /etc/ssh/sshd_config file:

# Don't allow root login in the first place
PermitRootLogin no
# Only allow myself and my friend to login
AllowUsers me my_buddy

This next trick is called "security through obscurity"...and it works quite well against the ssh scanbots (note: if you're gonna do this, don't forget to open a pinhole in your firewall and use the "-p" option when you are ssh-ing in)

#Have ssh listen on another port of my choice
Port 6622

thanks for the great tip jymbo

The real issue here is that you have ssh open to the world. You should really think about seting up iptables/chains, or using tcp wrappers to limit access to only certain IPs or even subnets if you have to. If you are not constantly logging in from differnent locations there is no reason to leave sshd open like that.

i suggest you disable root access by editing the sshd_config, because someone might brute force the password. since they dont know you username, they'll have to guess the username AND the password.

also, you can run sshd with a non standard port.

also helps to rename your su binary, and perhaps booby trap the original command. my su, for example, displays the normal access denied output for a fail su attempt, but it also send me a text message with the pwd, username, and password. you can rig it to do anything though, temporary lockdown, block the ip, etc.