sshd un-authorized access attempts

Posted on 2006-04-12
Last Modified: 2010-04-18

we have a hosted dedicate server running 2003 and iis6, it is mainly used for hosted our website that we use. we have a small company therefore I keep and eye on the server even though I am the web developer...

I have noticed in the app log in event viewer similiar ip addresses are hitting our server with similiar error codes:

Illegal user 1 from
sshd : PID 3216 : input_userauth_request: illegal user 1.
sshd : PID 3216 : Failed password for illegal user 1 from port 50739 ssh2.

ther is about a hundred of these a night sometimes from different ip addresses and the user names tried are different
eg root, guest etc...

I would like to know if there is a way to stop any services that allows ssh2 or sshd  access on the server. We user remote desktop to connect and sometimes vnc. I have taken a look through the service console and cannot work out which serveices it is, or if there is just nothing to worry about at all. Rather be safe than sorry...

Question by:deanvanrooyen
    LVL 21

    Expert Comment

    Is this box behind a firewall?  If so I would block port 50739.  If not I would consider putting a firewall in front of it or at least using the Windows firewall and provide exceptions just for RD(3389), VnC(5900), and what you need for web (at least 80).
    LVL 12

    Author Comment


    this is a hosted server so it runs like in a dmz, I cannot start blocking ports because the soruce potr keeps changinf, I need to try and stop the service(if anything is running that allows this access), i jsut think it might be the remote access service for remote desktop
    LVL 21

    Expert Comment

    I am guessing you have an SSH (Secure Shell Host) dameon running on this server somewhere.  SSH is not native to Windows so if there is one installed you would probably see it under Add/Remove programs.

    In your task manager do you see anything on the processes tab with the name SSHD?
    LVL 21

    Accepted Solution

    Are you running Cygwin tools on this server?

    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    Join & Write a Comment

    The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
    Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
    This video discusses moving either the default database or any database to a new volume.
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now