| 1 |
> In my ssh logs this morning I noticed a couple login attempts with |
| 2 |
> usenames on them... I've never seen that before. It is usually just an |
| 3 |
> IP address. |
| 4 |
> |
| 5 |
> Mar 18 20:19:48 [sshd] refused connect from |
| 6 |
> postmaster@×××××××××××××××××××.co |
| 7 |
> Mar 18 23:42:44 [sshd] refused connect from 211.116.136.107 |
| 8 |
> Mar 18 23:44:44 [sshd] refused connect from |
| 9 |
> [U2FsdGVkX19g32YZVKMsQkl+mouWITILOicY4Iq9OQo=]@211.116.136.107 |
| 10 |
> Mar 19 02:41:09 [sshd] refused connect from 221.194.128.66 |
| 11 |
> |
| 12 |
> weird... maybe the bad guys are up to something new. |
| 13 |
|
| 14 |
I'd say they've just made a mistake in their DNS config (or maybe used a wildcard record), and set the PTR record to be postmaster@×××××××××××××××××××.co instead of a hostname. I'm assuming the reason you usually see IP addresses is that there is no PTR record set for that IP.... |
| 15 |
|
| 16 |
Are you running Fail2ban or similar? |
| 17 |
|
| 18 |
Rgs, |
| 19 |
Adam |
Archives