Fred
01-07-2006, 01:17 PM
Hi guys,
We all know about the bots that scans sshd and try to brute force user or root password... It's common to receive 5 or 6 bfd alert every day for me :)
Some of us change the sshd port to avoid these scans...
But today, my logwatch mail was including a strange thing coming from one of these scans:
Jan 7 09:45:29 xxxxx sshd[21698]: User popa3d not allowed because shell /dev/ null is not executable
Does the "not allowed because shell /dev/null is not executable" means the password matched but the system wasn't able to start the shell ???
I mean, the normal message looks like this:
Jan 7 12:52:53 xxxxx sshd[898]: Failed password for illegal user popa3d from
xxx.xxx.xx.xxx port 1202 ssh2
So, should i worry ?
We all know about the bots that scans sshd and try to brute force user or root password... It's common to receive 5 or 6 bfd alert every day for me :)
Some of us change the sshd port to avoid these scans...
But today, my logwatch mail was including a strange thing coming from one of these scans:
Jan 7 09:45:29 xxxxx sshd[21698]: User popa3d not allowed because shell /dev/ null is not executable
Does the "not allowed because shell /dev/null is not executable" means the password matched but the system wasn't able to start the shell ???
I mean, the normal message looks like this:
Jan 7 12:52:53 xxxxx sshd[898]: Failed password for illegal user popa3d from
xxx.xxx.xx.xxx port 1202 ssh2
So, should i worry ?