[GALPon] Ataques constantes.

Este tramo de de auth.log es solo un pequeño ejemplo, tengo megas enteros de archivo de texto con registros similares a este: Mar 9 09:23:03 Quarzo sshd[19758]: Invalid user test from 140.114.106.119 Mar 9 09:23:06 Quarzo sshd[19760]: Invalid user guest from 140.114.106.119 Mar 9 09:23:11 Quarzo sshd[19762]: Invalid user admin from 140.114.106.119 Mar 9 09:23:14 Quarzo sshd[19764]: Invalid user admin from 140.114.106.119 Mar 9 09:23:18 Quarzo sshd[19766]: Invalid user user from 140.114.106.119 Mar 9 09:23:33 Quarzo sshd[19774]: Invalid user test from 140.114.106.119 Mar 10 17:15:41 Quarzo sshd[6187]: Invalid user staff from 221.6.5.237 Mar 10 17:15:47 Quarzo sshd[6189]: Invalid user sales from 221.6.5.237 Mar 10 17:15:52 Quarzo sshd[6191]: Invalid user recruit from 221.6.5.237 Mar 10 17:15:57 Quarzo sshd[6193]: Invalid user alias from 221.6.5.237 Mar 10 17:16:03 Quarzo sshd[6195]: Invalid user office from 221.6.5.237 Mar 10 17:16:08 Quarzo sshd[6197]: Invalid user samba from 221.6.5.237 Por suerte vuestros anteriores consejos han sido sumamente útiles (mil gracias de nuevo por ellos) y esas conexiones han sido bloquedas: Mar 10 19:00:31 Quarzo sshd[6337]: refused connect from ::ffff: 189.19.206.152 (::ffff:189.19.206.152) Mar 10 19:05:53 Quarzo sshd[6338]: refused connect from ::ffff: 189.19.206.152 (::ffff:189.19.206.152) Mar 10 19:08:32 Quarzo sshd[6339]: Did not receive identification string from 117.55.225.122 no obstante hay algo que me preocupa: Mar 11 06:17:01 Quarzo CRON[7149]: (pam_unix) session closed for user root Mar 11 06:25:01 Quarzo CRON[7152]: (pam_unix) session opened for user root by (uid=0) Mar 11 06:25:02 Quarzo su[7201]: Successful su for nobody by root Mar 11 06:25:02 Quarzo su[7201]: + ??? root:nobody Mar 11 06:25:02 Quarzo su[7201]: (pam_unix) session opened for user nobody by (uid=0) Mar 11 06:25:02 Quarzo su[7201]: (pam_unix) session closed for user nobody Mar 11 06:25:02 Quarzo su[7203]: Successful su for nobody by root Mar 11 06:25:02 Quarzo su[7203]: + ??? root:nobody Mar 11 06:25:02 Quarzo su[7203]: (pam_unix) session opened for user nobody by (uid=0) Mar 11 06:25:02 Quarzo su[7203]: (pam_unix) session closed for user nobody Mar 11 06:25:02 Quarzo su[7205]: Successful su for nobody by root Mar 11 06:25:02 Quarzo su[7205]: + ??? root:nobody Mar 11 06:25:02 Quarzo su[7205]: (pam_unix) session opened for user nobody by (uid=0) Mar 11 06:26:22 Quarzo su[7205]: (pam_unix) session closed for user nobody Mar 11 06:29:34 Quarzo CRON[7152]: (pam_unix) session closed for user root -------------------- Al ver esto, me metí en mi sistema como root, e ice un su a nobody, y.... sorpresa!! ese usuario existe y tiene privilegios de root, ¿Qué opinais al respecto? P.D saludos a la lista, nos veremos en proximas reuniones de galpon junto con un amigo que desea conoceros.