A practical example, real life, last night.
I was replacing my hard drive on my home broadband OBSD firewall, and it was taking a few minutes
to copy over the old pf.conf and enable the firewall. I had installed the latest snapshot as a
fresh image and restarted. It took a little while to set up the local networks, and I was connected
to the Internet, so I could download packages.
I copied over the pf.conf from my backup host and enabled it, not thinking much more about it.
Then this morning I looked at /var/log/authlog to see stuff like this:
Jan 9 18:00:01 home-fw newsyslog[6065]: logfile turned over
Jan 9 18:03:03 home-fw sshd[29544]: Invalid user andrew from 125.16.26.123
Jan 9 18:03:03 home-fw sshd[240]: input_userauth_request: invalid user andrew
Jan 9 18:03:03 home-fw sshd[29544]: Failed password for invalid user andrew from 125.16.26.123 port 52447 ssh2
Jan 9 18:03:03 home-fw sshd[240]: Received disconnect from 125.16.26.123: 11: Bye Bye
Jan 9 18:03:06 home-fw sshd[19514]: Invalid user adam from 125.16.26.123
Jan 9 18:03:06 home-fw sshd[15864]: input_userauth_request: invalid user adam
Jan 9 18:03:06 home-fw sshd[19514]: Failed password for invalid user adam from 125.16.26.123 port 52651 ssh2
Jan 9 18:03:06 home-fw sshd[15864]: Received disconnect from 125.16.26.123: 11: Bye Bye
Jan 9 18:03:08 home-fw sshd[18110]: Invalid user trial from 125.16.26.123
Jan 9 18:03:08 home-fw sshd[22493]: input_userauth_request: invalid user trial
Jan 9 18:03:09 home-fw sshd[18110]: Failed password for invalid user trial from 125.16.26.123 port 52821 ssh2
Jan 9 18:03:09 home-fw sshd[22493]: Received disconnect from 125.16.26.123: 11: Bye Bye
Jan 9 18:03:11 home-fw sshd[20596]: Invalid user calendar from 125.16.26.123
Jan 9 18:03:11 home-fw sshd[8582]: input_userauth_request: invalid user calendar
Jan 9 18:03:11 home-fw sshd[20596]: Failed password for invalid user calendar from 125.16.26.123 port 53011 ssh2
Jan 9 18:03:12 home-fw sshd[8582]: Received disconnect from 125.16.26.123: 11: Bye Bye
Jan 9 18:03:14 home-fw sshd[22151]: Invalid user poq from 125.16.26.123
Jan 9 18:03:14 home-fw sshd[17137]: input_userauth_request: invalid user poq
Jan 9 18:03:14 home-fw sshd[22151]: Failed password for invalid user poq from 125.16.26.123 port 53199 ssh2
I never see anything like that, since my pf rules only allow me to ssh back to home from my work IP range.
In the space of about 15 minutes before I enabled pf all of the following users were tried, probably
by an automated script:
Aaliyah Aaron Aba Abel Exit Jewel
Zmeu Zmeu adam adam add adm
admin admin admin admin admin admin
admin admins admins adrian alan alex
alin alina alinus amanda andrei andrew
angel apache aron at backup bnc
bran brett cafe calendar cap cgi
ch cmd com danny data david
dulap fernando fluffy ftp games george
get guest guest hacker haxor hk
http httpd hy id ident if
info info internet irc is it
john kathi kayten ldap library linux
lp luis mail mail mailman master
max michael michael michi mikael mike
mike mysql mysql net network news
news nick octavio open oper oracle
org party paul paul pe pgsql
pgsql pl play poq postfix postmaster
print psybnc radu resin rex richard
richard robert rpm sales samba sara
search sef sex sgi sharon shell
shell shop squid ssh stan station
stef stephen steven sunny sunsun susan
suva suzuki tavi technicom telnet test
test test test test trial trib
uk unix unseen us user user
username username users web webadmin webmaster
webmaster webpop word www-data wwwrun wwwrun
yahoo za
What a cesspool the internet is! Good passwords, limit access to where it is necessary,
and run an ironclad OS. Thanks for making it all possible.
