You are not logged in.
As far as I can figure out, lastb claims that many users, including "guest", "test", "testbox", "adam", "jack", "marvin", etc. have logged onto my computer over ssh.
This is certainly worrying, since I have never heard of these people and certainly don't have such user accounts on my computer.
I only created one user account, and that is "rishabh".
The whole output of my lastb can be found here: http://pastebin.com/m6e530c40 (it's 3632 lines long).
Some randomly selected lines are as follows:
friends ssh:notty 59.10.58.8 Thu Apr 2 20:59 - 20:59 (00:00)
Joshua ssh:notty 59.10.58.8 Thu Apr 2 20:59 - 20:59 (00:00)
Joshua ssh:notty 59.10.58.8 Thu Apr 2 20:59 - 20:59 (00:00)
Joshua ssh:notty 59.10.58.8 Thu Apr 2 20:59 - 20:59 (00:00)
Joshua ssh:notty 59.10.58.8 Thu Apr 2 20:59 - 20:59 (00:00)
joshua ssh:notty 59.10.58.8 Thu Apr 2 20:59 - 20:59 (00:00)
joshua ssh:notty 59.10.58.8 Thu Apr 2 20:59 - 20:59 (00:00)
Nicole ssh:notty 59.10.58.8 Thu Apr 2 20:59 - 20:59 (00:00)
Nicole ssh:notty 59.10.58.8 Thu Apr 2 20:59 - 20:59 (00:00)
Nicole ssh:notty 59.10.58.8 Thu Apr 2 20:59 - 20:59 (00:00)
Nicole ssh:notty 59.10.58.8 Thu Apr 2 20:59 - 20:59 (00:00)
nicole ssh:notty 59.10.58.8 Thu Apr 2 20:59 - 20:59 (00:00)
nicole ssh:notty 59.10.58.8 Thu Apr 2 20:59 - 20:59 (00:00)
pascal ssh:notty 59.10.58.8 Thu Apr 2 20:59 - 20:59 (00:00)
pascal ssh:notty 59.10.58.8 Thu Apr 2 20:59 - 20:59 (00:00)
pascal ssh:notty 59.10.58.8 Thu Apr 2 20:59 - 20:59 (00:00)
pascal ssh:notty 59.10.58.8 Thu Apr 2 20:58 - 20:58 (00:00)
pascal ssh:notty 59.10.58.8 Thu Apr 2 20:58 - 20:58 (00:00)
pascal ssh:notty 59.10.58.8 Thu Apr 2 20:58 - 20:58 (00:00)
Dakota ssh:notty 59.10.58.8 Thu Apr 2 20:58 - 20:58 (00:00)
Dakota ssh:notty 59.10.58.8 Thu Apr 2 20:58 - 20:58 (00:00)
Dakota ssh:notty 59.10.58.8 Thu Apr 2 20:58 - 20:58 (00:00)
Dakota ssh:notty 59.10.58.8 Thu Apr 2 20:58 - 20:58 (00:00)
dakota ssh:notty 59.10.58.8 Thu Apr 2 20:58 - 20:58 (00:00)
dakota ssh:notty 59.10.58.8 Thu Apr 2 20:58 - 20:58 (00:00)
fred ssh:notty 59.10.58.8 Thu Apr 2 20:58 - 20:58 (00:00)
fred ssh:notty 59.10.58.8 Thu Apr 2 20:58 - 20:58 (00:00)
fred ssh:notty 59.10.58.8 Thu Apr 2 20:58 - 20:58 (00:00)
fred ssh:notty 59.10.58.8 Thu Apr 2 20:58 - 20:58 (00:00)
fred ssh:notty 59.10.58.8 Thu Apr 2 20:58 - 20:58 (00:00)
fred ssh:notty 59.10.58.8 Thu Apr 2 20:58 - 20:58 (00:00)
apple ssh:notty 59.10.58.8 Thu Apr 2 20:58 - 20:58 (00:00)
apple ssh:notty 59.10.58.8 Thu Apr 2 20:58 - 20:58 (00:00)
apple ssh:notty 59.10.58.8 Thu Apr 2 20:58 - 20:58 (00:00)
apple ssh:notty 59.10.58.8 Thu Apr 2 20:58 - 20:58 (00:00)
apple ssh:notty 59.10.58.8 Thu Apr 2 20:58 - 20:58 (00:00)
apple ssh:notty 59.10.58.8 Thu Apr 2 20:58 - 20:58 (00:00)
buster ssh:notty 59.10.58.8 Thu Apr 2 20:57 - 20:57 (00:00)
buster ssh:notty 59.10.58.8 Thu Apr 2 20:57 - 20:57 (00:00)
buster ssh:notty 59.10.58.8 Thu Apr 2 20:57 - 20:57 (00:00)
buster ssh:notty 59.10.58.8 Thu Apr 2 20:57 - 20:57 (00:00)
buster ssh:notty 59.10.58.8 Thu Apr 2 20:57 - 20:57 (00:00)
buster ssh:notty 59.10.58.8 Thu Apr 2 20:57 - 20:57 (00:00)
ftphome ssh:notty 59.10.58.8 Thu Apr 2 20:57 - 20:57 (00:00)
ftphome ssh:notty 59.10.58.8 Thu Apr 2 20:57 - 20:57 (00:00)
ftphome ssh:notty 59.10.58.8 Thu Apr 2 20:57 - 20:57 (00:00)
ftphome ssh:notty 59.10.58.8 Thu Apr 2 20:57 - 20:57 (00:00)
ftphome ssh:notty 59.10.58.8 Thu Apr 2 20:57 - 20:57 (00:00)
ftphome ssh:notty 59.10.58.8 Thu Apr 2 20:57 - 20:57 (00:00)
quincy ssh:notty 59.10.58.8 Thu Apr 2 20:57 - 20:57 (00:00)
What does this mean?? Does the default wtmp file contain all these names??
Last edited by paramahamsa (2009-04-05 16:56:44)
Offline
Those are all the names that tried, but FAILED, to log into your machine. All the usual ssh attacks.
If you want to see who actually did log into the machine, use "last" instead.
In my experience, the easiest way to stop the attacks is to change the port sshd listens on to some random big number, and the surest way to make it really secure is to turn off password logins and use keypairs instead.
Offline
I have my ssh server running in a high port for the past 6 months and not even had 1 person attempt to log in, granted its running denyhosts and only login via keypair
Offline
ataraxia, Zariel,
Thanks! I didn't know that.
These attacks are by bots, I presume? What do they do, try random names on random IPs?
(edit: by the way, I use denyhosts, too)
Last edited by paramahamsa (2009-04-05 16:59:04)
Offline