Hi, I've noticed yesterday evening and this morning (very shortly after turning on my router at home - on P&T ADSL) that there were attacks against my SSH server running - quite probably brute-force dictionary attacks. I've got quite some entries in my auth.log (extract): this morning: ---------------------------------------- Oct 12 09:13:08 hermes sshd[543]: Failed password for illegal user wwwrun from 216.173.46.164 port 55039 ssh2 Oct 12 09:13:09 hermes sshd[545]: Illegal user matt from 216.173.46.164 Oct 12 09:13:09 hermes sshd[545]: error: Could not get shadow information for NOUSER Oct 12 09:13:09 hermes sshd[545]: Failed password for illegal user matt from 216 .173.46.164 port 55067 ssh2 Oct 12 09:13:11 hermes sshd[547]: Illegal user test from 216.173.46.164 Oct 12 09:13:11 hermes sshd[547]: error: Could not get shadow information for NOUSER Oct 12 09:13:11 hermes sshd[547]: Failed password for illegal user test from 216 .173.46.164 port 55100 ssh2 Oct 12 09:13:13 hermes sshd[549]: Illegal user test from 216.173.46.164 Oct 12 09:13:13 hermes sshd[549]: error: Could not get shadow information for NOUSER Oct 12 09:13:13 hermes sshd[549]: Failed password for illegal user test from 216 .173.46.164 port 55134 ssh2 Oct 12 09:13:15 hermes sshd[551]: Illegal user test from 216.173.46.164 yesterday evening: ---------------------------------------- Oct 11 19:38:44 hermes sshd[2051]: Illegal user frank from 213.240.168.200 Oct 11 19:38:44 hermes sshd[2051]: error: Could not get shadow information for NOUSER Oct 11 19:38:44 hermes sshd[2051]: Failed password for illegal user frank from 2 13.240.168.200 port 40686 ssh2 Oct 11 19:38:45 hermes sshd[2053]: Illegal user george from 213.240.168.200 Oct 11 19:38:45 hermes sshd[2053]: error: Could not get shadow information for NOUSER Oct 11 19:38:45 hermes sshd[2053]: Failed password for illegal user george from 213.240.168.200 port 40710 ssh2 Oct 11 19:38:46 hermes sshd[2055]: Illegal user henry from 213.240.168.200 Oct 11 19:38:46 hermes sshd[2055]: error: Could not get shadow information for NOUSER Oct 11 19:38:46 hermes sshd[2055]: Failed password for illegal user henry from 2 13.240.168.200 port 40737 ssh2 Oct 11 19:38:47 hermes sshd[2057]: Illegal user john from 213.240.168.200 Oct 11 19:38:47 hermes sshd[2057]: error: Could not get shadow information for NOUSER Oct 11 19:38:47 hermes sshd[2057]: Failed password for illegal user john from 213.240.168.200 port 40757 ssh2 ---------------------------------------- I suspect these attempts are run from compromised machines, anyway I did try contacting the admin from yesterday evening's incident. I suppose all of you will want to check their logs, certainly if you're running an SSH server. I've reconfigured my own SSH server to listen on a non-standard port for now (check /etc/ssh/sshd_config), in addition to my relatively hard-to-crack passwords (designed not to fall prey to "normal" dictionary attacks). I guess "they" are out there... Greets Eric