LinuxSecurity

Re:Ask Slashdot (Score:4, Interesting)
by armanox (826486) <asherewindknight@yahoo.com> on Sunday October 04, @11:56PM (#29640677) Homepage Journal

I see a lot of seemingly valid logins (could be valid, but not on my system...)

Running awk 'gsub(".*sshd.*Failed password for (invalid user )?", "") {print $1}' /var/log/secure* | sort | uniq -c | sort -rn | head -10'> yields

279 root
20 test
19 admin
9 john
9 guest
8 PlcmSpIp
7 oracle
7 info
6 webmaster
6 mysql

so, we have 6 that often are valid, a very common name, two that almost could be valid (info and webmaster), and one nonsense. Only one account on that system has ssh allowed, and it's certainly not root.

DenyHosts

Aldaba Knocking Suite: Port Knocking and SPA system for Linux