pkgsrc-users: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?

Subject: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
To: None <pkgsrc-users@NetBSD.org>
From: Water NB <netbsd78@126.com>
List: pkgsrc-users
Date: 01/12/2007 17:17:13
In the recent days, a cracker always attack my host.
The cracker's IP is from Japan, Croatia and some coutries.
But I guess it is the same cracker and remote-conrolled those hosts.
Because he always did the same works:
1) try to ssh account one by one: root, postfix, ... cyrus.
2) at last, login successfully via account cyrus.
3) install a program psyBNC 2.3.1 under /tmp and run it.
4) sometimes he changes the password of cyrus.

Question 1) Is it a bug of sshd?
Yesterday, I change the password of cyrus to 16 characters which contain
digit, symbol and  capital/lowercase letter, So I think it is more
secure.
But this morning I found the cracker still logined the system after only
two tries.
It is impossible to try 2 times to get the correct password.
So I guess that he used the bug of sshd.
What bug? I don't know.

Question 2) why /etc/passwd:cyrus has Shell: /bin/sh?
I think /sbin/nologin is enough.
In fact, when I change it to /sbin/nologin, the cracker stop cracking
because he has to logout once he login.

Question 3) How to setup a secret system?
I am so worried with the fixed-IP-host in public network.

Question 4) How to log what passwords the cracker used in ssh session?
Or I need modify sshd source?

Question 5) empty password means needn't password?
Or means any passwords are invalid?

My system:
# uname -a
NetBSD serv01 3.1_STABLE NetBSD 3.1_STABLE (386nb3) #3: Sat Dec 30
11:50:47 CST
2006  water@serv01:/usr/world/386o3/sys/arch/i386/compile/386nb3 i386

# ssh -v
OpenSSH_3.9 NetBSD_Secure_Shell-20061016, OpenSSL 0.9.7d 17 Mar 2004

Running: apache2, postfix-2.3.5 (from pkgsrc), dovecot, mysqld, sshd,
named
Installed: cyrus-sasl-2.1.22, php5.2.0

Authlog:

Jan 12 00:05:46 mail sshd[6091]: Failed password for root from
AAA.BBB.CCC.DDD port 53236 ssh2
Jan 12 00:05:47 mail sshd[12624]: Failed password for root from
AAA.BBB.CCC.DDD port 53273 ssh2
Jan 12 00:05:48 mail sshd[4902]: Failed password for root from
AAA.BBB.CCC.DDD port 53318 ssh2
Jan 12 00:05:49 mail sshd[5181]: Failed password for root from
AAA.BBB.CCC.DDD port 53359 ssh2
Jan 12 00:05:49 mail sshd[22047]: Failed password for root from
AAA.BBB.CCC.DDD port 53403 ssh2
Jan 12 00:05:50 mail sshd[2520]: Failed password for root from
AAA.BBB.CCC.DDD port 53442 ssh2
Jan 12 00:05:51 mail sshd[29414]: Failed password for root from
AAA.BBB.CCC.DDD port 53478 ssh2
Jan 12 00:05:52 mail sshd[3111]: Invalid user test from AAA.BBB.CCC.DDD
Jan 12 00:05:52 mail sshd[3111]: Failed password for invalid user test
from AAA.BBB.CCC.DDD port 53529 ssh2
Jan 12 00:05:53 mail sshd[15737]: Invalid user test from AAA.BBB.CCC.DDD
Jan 12 00:05:53 mail sshd[15737]: Failed password for invalid user test
from AAA.BBB.CCC.DDD port 53591 ssh2
Jan 12 00:05:54 mail sshd[17345]: Invalid user test from AAA.BBB.CCC.DDD
Jan 12 00:05:54 mail sshd[17345]: Failed password for invalid user test
from AAA.BBB.CCC.DDD port 53632 ssh2
Jan 12 00:05:54 mail sshd[17851]: Invalid user test from AAA.BBB.CCC.DDD
Jan 12 00:05:54 mail sshd[17851]: Failed password for invalid user test
from AAA.BBB.CCC.DDD port 53675 ssh2
Jan 12 00:05:55 mail sshd[14531]: Invalid user testuser from
AAA.BBB.CCC.DDD
Jan 12 00:05:55 mail sshd[14531]: Failed password for invalid user
testuser from AAA.BBB.CCC.DDD port 53712 ssh2
Jan 12 00:05:56 mail sshd[25545]: Invalid user test from AAA.BBB.CCC.DDD
Jan 12 00:05:56 mail sshd[25545]: Failed password for invalid user test
from AAA.BBB.CCC.DDD port 53750 ssh2
Jan 12 00:05:56 mail sshd[1850]: Invalid user test from AAA.BBB.CCC.DDD
Jan 12 00:05:57 mail sshd[1850]: Failed password for invalid user test
from AAA.BBB.CCC.DDD port 53786 ssh2
Jan 12 00:05:57 mail sshd[16050]: Invalid user test from AAA.BBB.CCC.DDD
Jan 12 00:05:57 mail sshd[16050]: Failed password for invalid user test
from AAA.BBB.CCC.DDD port 53832 ssh2
Jan 12 00:05:58 mail sshd[26874]: Invalid user test from AAA.BBB.CCC.DDD
Jan 12 00:05:58 mail sshd[26874]: Failed password for invalid user test
from AAA.BBB.CCC.DDD port 53871 ssh2
Jan 12 00:05:59 mail sshd[29038]: Invalid user test from AAA.BBB.CCC.DDD
Jan 12 00:05:59 mail sshd[29038]: Failed password for invalid user test
from AAA.BBB.CCC.DDD port 53908 ssh2
Jan 12 00:05:59 mail sshd[8476]: Invalid user sales from AAA.BBB.CCC.DDD
Jan 12 00:05:59 mail sshd[8476]: Failed password for invalid user sales
from AAA.BBB.CCC.DDD port 53956 ssh2
Jan 12 00:06:00 mail sshd[11764]: Invalid user shop from AAA.BBB.CCC.DDD
Jan 12 00:06:00 mail sshd[11764]: Failed password for invalid user shop
from AAA.BBB.CCC.DDD port 54000 ssh2
Jan 12 00:06:01 mail sshd[5686]: Invalid user shop from AAA.BBB.CCC.DDD
Jan 12 00:06:01 mail sshd[5686]: Failed password for invalid user shop
from AAA.BBB.CCC.DDD port 54037 ssh2
Jan 12 00:06:02 mail sshd[27871]: Invalid user shopping from
AAA.BBB.CCC.DDD
Jan 12 00:06:02 mail sshd[27871]: Failed password for invalid user
shopping from AAA.BBB.CCC.DDD port 54085 ssh2
Jan 12 00:06:02 mail sshd[7715]: Invalid user shop from AAA.BBB.CCC.DDD
Jan 12 00:06:02 mail sshd[7715]: Failed password for invalid user shop
from AAA.BBB.CCC.DDD port 54126 ssh2
Jan 12 00:06:03 mail sshd[19650]: Invalid user sales from
AAA.BBB.CCC.DDD
Jan 12 00:06:03 mail sshd[19650]: Failed password for invalid user sales
from AAA.BBB.CCC.DDD port 54164 ssh2
Jan 12 00:06:04 mail sshd[9290]: Invalid user printer from
AAA.BBB.CCC.DDD
Jan 12 00:06:04 mail sshd[9290]: Failed password for invalid user
printer from AAA.BBB.CCC.DDD port 54201 ssh2
Jan 12 00:06:05 mail sshd[28391]: Invalid user mailman from
AAA.BBB.CCC.DDD
Jan 12 00:06:05 mail sshd[28391]: Failed password for invalid user
mailman from AAA.BBB.CCC.DDD port 54249 ssh2
Jan 12 00:06:05 mail sshd[27549]: Invalid user irc from AAA.BBB.CCC.DDD
Jan 12 00:06:05 mail sshd[27549]: Failed password for invalid user irc
from AAA.BBB.CCC.DDD port 54293 ssh2
Jan 12 00:06:06 mail sshd[6219]: Invalid user ircd from AAA.BBB.CCC.DDD
Jan 12 00:06:06 mail sshd[6219]: Failed password for invalid user ircd
from AAA.BBB.CCC.DDD port 54327 ssh2
Jan 12 00:06:07 mail sshd[12752]: Failed password for www from
AAA.BBB.CCC.DDD port 54369 ssh2
Jan 12 00:06:08 mail sshd[5030]: Invalid user www-data from
AAA.BBB.CCC.DDD
Jan 12 00:06:08 mail sshd[5030]: Failed password for invalid user
www-data from AAA.BBB.CCC.DDD port 54416 ssh2
Jan 12 00:06:08 mail sshd[5309]: Invalid user apache from
AAA.BBB.CCC.DDD
Jan 12 00:06:08 mail sshd[5309]: Failed password for invalid user apache
from AAA.BBB.CCC.DDD port 54459 ssh2
Jan 12 00:06:09 mail sshd[22175]: Failed password for root from
AAA.BBB.CCC.DDD port 54497 ssh2
Jan 12 00:06:10 mail sshd[2648]: Invalid user golf from AAA.BBB.CCC.DDD
Jan 12 00:06:10 mail sshd[2648]: Failed password for invalid user golf
from AAA.BBB.CCC.DDD port 54545 ssh2
Jan 12 00:06:11 mail sshd[29542]: Failed password for root from
AAA.BBB.CCC.DDD port 54598 ssh2
Jan 12 00:06:11 mail sshd[3239]: Failed password for root from
AAA.BBB.CCC.DDD port 54639 ssh2
Jan 12 00:06:12 mail sshd[15865]: Failed password for root from
AAA.BBB.CCC.DDD port 54685 ssh2
Jan 12 00:06:13 mail sshd[17473]: Failed password for root from
AAA.BBB.CCC.DDD port 54730 ssh2
Jan 12 00:06:13 mail sshd[17979]: Failed password for root from
AAA.BBB.CCC.DDD port 54780 ssh2
Jan 12 00:06:14 mail sshd[14659]: Failed password for root from
AAA.BBB.CCC.DDD port 54819 ssh2
Jan 12 00:06:15 mail sshd[25673]: Failed password for root from
AAA.BBB.CCC.DDD port 54866 ssh2
Jan 12 00:06:16 mail sshd[1978]: Failed password for root from
AAA.BBB.CCC.DDD port 54916 ssh2
Jan 12 00:06:16 mail sshd[16178]: Invalid user usa from AAA.BBB.CCC.DDD
Jan 12 00:06:16 mail sshd[16178]: Failed password for invalid user usa
from AAA.BBB.CCC.DDD port 54970 ssh2
Jan 12 00:06:17 mail sshd[27002]: Invalid user musiq from
AAA.BBB.CCC.DDD
Jan 12 00:06:17 mail sshd[27002]: Failed password for invalid user musiq
from AAA.BBB.CCC.DDD port 55003 ssh2
Jan 12 00:06:18 mail sshd[29166]: Invalid user helena from
AAA.BBB.CCC.DDD
Jan 12 00:06:18 mail sshd[29166]: Failed password for invalid user
helena from AAA.BBB.CCC.DDD port 55047 ssh2
Jan 12 00:06:19 mail sshd[8604]: Invalid user administrator from
AAA.BBB.CCC.DDD
Jan 12 00:06:19 mail sshd[8604]: Failed password for invalid user
administrator from AAA.BBB.CCC.DDD port 55099 ssh2
Jan 12 00:06:19 mail sshd[11892]: Invalid user ROOT from AAA.BBB.CCC.DDD
Jan 12 00:06:19 mail sshd[11892]: Failed password for invalid user ROOT
from AAA.BBB.CCC.DDD port 55143 ssh2
Jan 12 00:06:20 mail sshd[11152]: Invalid user router from
AAA.BBB.CCC.DDD
Jan 12 00:06:20 mail sshd[11152]: Failed password for invalid user
router from AAA.BBB.CCC.DDD port 55182 ssh2
Jan 12 00:06:21 mail sshd[12094]: Invalid user mrtg from AAA.BBB.CCC.DDD
Jan 12 00:06:21 mail sshd[12094]: Failed password for invalid user mrtg
from AAA.BBB.CCC.DDD port 55224 ssh2
Jan 12 00:06:22 mail sshd[18276]: Invalid user mrtg1 from
AAA.BBB.CCC.DDD
Jan 12 00:06:22 mail sshd[18276]: Failed password for invalid user mrtg1
from AAA.BBB.CCC.DDD port 55287 ssh2
Jan 12 00:06:22 mail sshd[29079]: Invalid user mrtg2 from
AAA.BBB.CCC.DDD
Jan 12 00:06:22 mail sshd[29079]: Failed password for invalid user mrtg2
from AAA.BBB.CCC.DDD port 55327 ssh2
Jan 12 00:06:23 mail sshd[22060]: Invalid user mrtg3 from
AAA.BBB.CCC.DDD
Jan 12 00:06:23 mail sshd[22060]: Failed password for invalid user mrtg3
from AAA.BBB.CCC.DDD port 55359 ssh2
Jan 12 00:06:24 mail sshd[19051]: Invalid user test1 from
AAA.BBB.CCC.DDD
Jan 12 00:06:24 mail sshd[19051]: Failed password for invalid user test1
from AAA.BBB.CCC.DDD port 55396 ssh2
Jan 12 00:06:25 mail sshd[19528]: Invalid user test1 from
AAA.BBB.CCC.DDD
Jan 12 00:06:25 mail sshd[19528]: Failed password for invalid user test1
from AAA.BBB.CCC.DDD port 55445 ssh2
Jan 12 00:06:25 mail sshd[14533]: Invalid user test123 from
AAA.BBB.CCC.DDD
Jan 12 00:06:25 mail sshd[14533]: Failed password for invalid user
test123 from AAA.BBB.CCC.DDD port 55485 ssh2
Jan 12 00:06:26 mail sshd[9713]: Invalid user guest from AAA.BBB.CCC.DDD
Jan 12 00:06:26 mail sshd[9713]: Failed password for invalid user guest
from AAA.BBB.CCC.DDD port 55517 ssh2
Jan 12 00:06:27 mail sshd[4088]: Invalid user guest123 from
AAA.BBB.CCC.DDD
Jan 12 00:06:27 mail sshd[4088]: Failed password for invalid user
guest123 from AAA.BBB.CCC.DDD port 55570 ssh2
Jan 12 00:06:27 mail sshd[14517]: Invalid user account from
AAA.BBB.CCC.DDD
Jan 12 00:06:27 mail sshd[14517]: Failed password for invalid user
account from AAA.BBB.CCC.DDD port 55618 ssh2
Jan 12 00:06:28 mail sshd[26573]: Invalid user bank from AAA.BBB.CCC.DDD
Jan 12 00:06:28 mail sshd[26573]: Failed password for invalid user bank
from AAA.BBB.CCC.DDD port 55655 ssh2
Jan 12 00:06:29 mail sshd[19314]: Invalid user banking from
AAA.BBB.CCC.DDD
Jan 12 00:06:29 mail sshd[19314]: Failed password for invalid user
banking from AAA.BBB.CCC.DDD port 55689 ssh2
Jan 12 00:06:30 mail sshd[9506]: Invalid user hp from AAA.BBB.CCC.DDD
Jan 12 00:06:30 mail sshd[9506]: Failed password for invalid user hp
from AAA.BBB.CCC.DDD port 55738 ssh2
Jan 12 00:06:30 mail sshd[5488]: Invalid user ftpusr01 from
AAA.BBB.CCC.DDD
Jan 12 00:06:30 mail sshd[5488]: Failed password for invalid user
ftpusr01 from AAA.BBB.CCC.DDD port 55770 ssh2
Jan 12 00:06:31 mail sshd[8412]: Invalid user demo from AAA.BBB.CCC.DDD
Jan 12 00:06:31 mail sshd[8412]: Failed password for invalid user demo
from AAA.BBB.CCC.DDD port 55801 ssh2
Jan 12 00:06:32 mail sshd[22889]: Invalid user demo from AAA.BBB.CCC.DDD
Jan 12 00:06:32 mail sshd[22889]: Failed password for invalid user demo
from AAA.BBB.CCC.DDD port 55842 ssh2
Jan 12 00:06:33 mail sshd[23232]: Invalid user oracle from
AAA.BBB.CCC.DDD
Jan 12 00:06:33 mail sshd[23232]: Failed password for invalid user
oracle from AAA.BBB.CCC.DDD port 55891 ssh2
Jan 12 00:06:33 mail sshd[29864]: Invalid user oracle from
AAA.BBB.CCC.DDD
Jan 12 00:06:33 mail sshd[29864]: Failed password for invalid user
oracle from AAA.BBB.CCC.DDD port 55925 ssh2
Jan 12 00:06:34 mail sshd[16590]: Invalid user oralcle from
AAA.BBB.CCC.DDD
Jan 12 00:06:34 mail sshd[16590]: Failed password for invalid user
oralcle from AAA.BBB.CCC.DDD port 55957 ssh2
Jan 12 00:06:35 mail sshd[10077]: Invalid user oracle from
AAA.BBB.CCC.DDD
Jan 12 00:06:35 mail sshd[10077]: Failed password for invalid user
oracle from AAA.BBB.CCC.DDD port 55995 ssh2
Jan 12 00:06:36 mail sshd[23992]: Invalid user oracle from
AAA.BBB.CCC.DDD
Jan 12 00:06:36 mail sshd[23992]: Failed password for invalid user
oracle from AAA.BBB.CCC.DDD port 56035 ssh2
Jan 12 00:06:36 mail sshd[15663]: Invalid user oracle from
AAA.BBB.CCC.DDD
Jan 12 00:06:36 mail sshd[15663]: Failed password for invalid user
oracle from AAA.BBB.CCC.DDD port 56071 ssh2
Jan 12 00:06:37 mail sshd[24055]: Invalid user news from AAA.BBB.CCC.DDD
Jan 12 00:06:37 mail sshd[24055]: Failed password for invalid user news
from AAA.BBB.CCC.DDD port 56110 ssh2
Jan 12 00:06:38 mail sshd[29792]: Invalid user news from AAA.BBB.CCC.DDD
Jan 12 00:06:38 mail sshd[29792]: Failed password for invalid user news
from AAA.BBB.CCC.DDD port 56159 ssh2
Jan 12 00:06:39 mail sshd[18675]: Invalid user news from AAA.BBB.CCC.DDD
Jan 12 00:06:39 mail sshd[18675]: Failed password for invalid user news
from AAA.BBB.CCC.DDD port 56197 ssh2
Jan 12 00:06:39 mail sshd[23766]: Invalid user news from AAA.BBB.CCC.DDD
Jan 12 00:06:39 mail sshd[23766]: Failed password for invalid user news
from AAA.BBB.CCC.DDD port 56230 ssh2
Jan 12 00:06:40 mail sshd[3067]: Invalid user news from AAA.BBB.CCC.DDD
Jan 12 00:06:40 mail sshd[3067]: Failed password for invalid user news
from AAA.BBB.CCC.DDD port 56269 ssh2
Jan 12 00:06:41 mail sshd[5942]: Invalid user sql from AAA.BBB.CCC.DDD
Jan 12 00:06:41 mail sshd[5942]: Failed password for invalid user sql
from AAA.BBB.CCC.DDD port 56315 ssh2
Jan 12 00:06:42 mail sshd[28127]: Failed password for mysql from
AAA.BBB.CCC.DDD port 56351 ssh2
Jan 12 00:06:42 mail sshd[7971]: Invalid user theo from AAA.BBB.CCC.DDD
Jan 12 00:06:42 mail sshd[7971]: Failed password for invalid user theo
from AAA.BBB.CCC.DDD port 56383 ssh2
Jan 12 00:06:43 mail sshd[19906]: Failed password for games from
AAA.BBB.CCC.DDD port 56419 ssh2
Jan 12 00:06:44 mail sshd[9546]: Invalid user rpm from AAA.BBB.CCC.DDD
Jan 12 00:06:44 mail sshd[9546]: Failed password for invalid user rpm
from AAA.BBB.CCC.DDD port 56464 ssh2
Jan 12 00:06:44 mail sshd[28647]: Invalid user rpm from AAA.BBB.CCC.DDD
Jan 12 00:06:44 mail sshd[28647]: Failed password for invalid user rpm
from AAA.BBB.CCC.DDD port 56500 ssh2
Jan 12 00:06:45 mail sshd[27805]: Invalid user rpm from AAA.BBB.CCC.DDD
Jan 12 00:06:45 mail sshd[27805]: Failed password for invalid user rpm
from AAA.BBB.CCC.DDD port 56537 ssh2
Jan 12 00:06:46 mail sshd[29644]: Invalid user rpm from AAA.BBB.CCC.DDD
Jan 12 00:06:46 mail sshd[29644]: Failed password for invalid user rpm
from AAA.BBB.CCC.DDD port 56582 ssh2
Jan 12 00:06:47 mail sshd[6475]: Invalid user rpm from AAA.BBB.CCC.DDD
Jan 12 00:06:47 mail sshd[6475]: Failed password for invalid user rpm
from AAA.BBB.CCC.DDD port 56621 ssh2
Jan 12 00:06:47 mail sshd[13008]: Invalid user goba from AAA.BBB.CCC.DDD
Jan 12 00:06:47 mail sshd[13008]: Failed password for invalid user goba
from AAA.BBB.CCC.DDD port 56656 ssh2
Jan 12 00:06:48 mail sshd[5286]: Invalid user mailman from
AAA.BBB.CCC.DDD
Jan 12 00:06:48 mail sshd[5286]: Failed password for invalid user
mailman from AAA.BBB.CCC.DDD port 56697 ssh2
Jan 12 00:06:49 mail sshd[5565]: Invalid user mailman from
AAA.BBB.CCC.DDD
Jan 12 00:06:49 mail sshd[5565]: Failed password for invalid user
mailman from AAA.BBB.CCC.DDD port 56744 ssh2
Jan 12 00:06:50 mail sshd[22431]: Invalid user ntp from AAA.BBB.CCC.DDD
Jan 12 00:06:50 mail sshd[22431]: Failed password for invalid user ntp
from AAA.BBB.CCC.DDD port 56782 ssh2
Jan 12 00:06:50 mail sshd[2904]: Failed password for nobody from
AAA.BBB.CCC.DDD port 56814 ssh2
Jan 12 00:06:51 mail sshd[29798]: Failed password for nobody from
AAA.BBB.CCC.DDD port 56858 ssh2
Jan 12 00:06:52 mail sshd[3495]: Invalid user postgres from
AAA.BBB.CCC.DDD
Jan 12 00:06:52 mail sshd[3495]: Failed password for invalid user
postgres from AAA.BBB.CCC.DDD port 56908 ssh2
Jan 12 00:06:53 mail sshd[16121]: Failed password for postfix from
AAA.BBB.CCC.DDD port 56948 ssh2
Jan 12 00:06:53 mail sshd[17729]: Failed password for postfix from
AAA.BBB.CCC.DDD port 56981 ssh2
Jan 12 00:06:54 mail sshd[18235]: Invalid user db from AAA.BBB.CCC.DDD
Jan 12 00:06:54 mail sshd[18235]: Failed password for invalid user db
from AAA.BBB.CCC.DDD port 57029 ssh2
Jan 12 00:06:55 mail sshd[14915]: Invalid user db from AAA.BBB.CCC.DDD
Jan 12 00:06:55 mail sshd[14915]: Failed password for invalid user db
from AAA.BBB.CCC.DDD port 57079 ssh2
Jan 12 00:06:55 mail sshd[25929]: Invalid user database from
AAA.BBB.CCC.DDD
Jan 12 00:06:55 mail sshd[25929]: Failed password for invalid user
database from AAA.BBB.CCC.DDD port 57116 ssh2
Jan 12 00:06:56 mail sshd[2234]: Invalid user database from
AAA.BBB.CCC.DDD
Jan 12 00:06:56 mail sshd[2234]: Failed password for invalid user
database from AAA.BBB.CCC.DDD port 57148 ssh2
Jan 12 00:06:57 mail sshd[16434]: Invalid user fax from AAA.BBB.CCC.DDD
Jan 12 00:06:57 mail sshd[16434]: Failed password for invalid user fax
from AAA.BBB.CCC.DDD port 57199 ssh2
Jan 12 00:06:58 mail sshd[27258]: Invalid user fax from AAA.BBB.CCC.DDD
Jan 12 00:06:58 mail sshd[27258]: Failed password for invalid user fax
from AAA.BBB.CCC.DDD port 57246 ssh2
Jan 12 00:06:58 mail sshd[29422]: Invalid user fax from AAA.BBB.CCC.DDD
Jan 12 00:06:58 mail sshd[29422]: Failed password for invalid user fax
from AAA.BBB.CCC.DDD port 57291 ssh2
Jan 12 00:06:59 mail sshd[8860]: Invalid user fax from AAA.BBB.CCC.DDD
Jan 12 00:06:59 mail sshd[8860]: Failed password for invalid user fax
from AAA.BBB.CCC.DDD port 57327 ssh2
Jan 12 00:07:00 mail sshd[12148]: Invalid user tester from
AAA.BBB.CCC.DDD
Jan 12 00:07:00 mail sshd[12148]: Failed password for invalid user
tester from AAA.BBB.CCC.DDD port 57379 ssh2
Jan 12 00:07:01 mail sshd[11408]: Invalid user tester from
AAA.BBB.CCC.DDD
Jan 12 00:07:01 mail sshd[11408]: Failed password for invalid user
tester from AAA.BBB.CCC.DDD port 57419 ssh2
Jan 12 00:07:01 mail sshd[12350]: Invalid user tester from
AAA.BBB.CCC.DDD
Jan 12 00:07:01 mail sshd[12350]: Failed password for invalid user
tester from AAA.BBB.CCC.DDD port 57455 ssh2
Jan 12 00:07:02 mail sshd[18532]: Invalid user tester from
AAA.BBB.CCC.DDD
Jan 12 00:07:02 mail sshd[18532]: Failed password for invalid user
tester from AAA.BBB.CCC.DDD port 57497 ssh2
Jan 12 00:07:03 mail sshd[29335]: Invalid user contact from
AAA.BBB.CCC.DDD
Jan 12 00:07:03 mail sshd[29335]: Failed password for invalid user
contact from AAA.BBB.CCC.DDD port 57548 ssh2
Jan 12 00:07:04 mail sshd[22316]: Failed password for cyrus from
AAA.BBB.CCC.DDD port 57590 ssh2
Jan 12 00:07:04 mail sshd[19307]: Accepted password for cyrus from
AAA.BBB.CCC.DDD port 57622 ssh2
(!!!!!)