I've always had usernames when it comes to sshd's log entries in
auth.log, like the following:

<time> <hostname> sshd[5926]: error: PAM: Authentication failure for
<username> from <ip-adress>


On 3/19/09, Paul Hartman <paul.hartman+gentoo@gmail.com> wrote:
> In my ssh logs this morning I noticed a couple login attempts with
> usenames on them... I've never seen that before. It is usually just an
> IP address.
>
> Mar 18 20:19:48 [sshd] refused connect from
> postmaster@dns.cablecentro.net.co
> Mar 18 23:42:44 [sshd] refused connect from 211.116.136.107
> Mar 18 23:44:44 [sshd] refused connect from
> [U2FsdGVkX19g32YZVKMsQkl+mouWITILOicY4Iq9OQo=]@211.116.136.107
> Mar 19 02:41:09 [sshd] refused connect from 221.194.128.66
>
> weird... maybe the bad guys are up to something new.
>
>


--
------------------------------------------------
For security reasons, all text in this mail is double-rot13 encrypted.

On Thu, Mar 19, 2009 at 10:36 AM, Johan Blåbäck
<johan.bluecreek@gmail.com> wrote:
> I've always had usernames when it comes to sshd's log entries in
> auth.log, like the following:
>
> <time> <hostname> sshd[5926]: error: PAM: Authentication failure for
> <username> from <ip-adress>

Well, I don't use PAM, just key-based authentication only, so I always
see only the IP getting rejected since it doesn't even give them a
place to try a user/password It's just weird that it is refusing a
connection from user@domain rather than simply the IP. I guess they
could be trying to ssh user@myhost.net or something. The one with
[U2FsdGVkX19g32YZVKMsQkl+mouWITILOicY4Iq9OQo=] as the username is
interesting. I wonder what that's all about.