RE: SSH scans... another possible solution

From: Ron Moore (ronald.moore_at_transcore.com)
Date: 12/20/04

  • Next message: Gerry Dalton: "Re: SSH scans..." 
    To: <harald@interweb.no>, "'Dejan Markovic'" <dejanmarkovic@hotmail.com>
Date: Mon, 20 Dec 2004 18:07:37 -0000

    I am blocking a long list of regions of the world by assigned ip address
    range in iptables/netfilter. In my case 99% of these are coming from a part
    of the world, we don’t do business in.

    If you can do that a lot of this will go away.

    Good luck,

    Ron

    > -----Original Message-----
    > From: Harald Nesland [mailto:maillists-hn@interweb.no]
    > Sent: Monday, December 20, 2004 4:19 PM
    > To: Dejan Markovic
    > Cc: INCIDENTS@SECURITYFOCUS.COM
    > Subject: Re: SSH scans...
    >
    > Hi,
    >
    > You're not alone :)
    >
    > I'm beeing scanned too, from various ip-addresses for various users.
    >
    > I guess the solution is to block SSH in your firewall, and open it to
    > your needs.
    >
    > Dejan Markovic wrote:
    > > Hi Guys,
    > >
    > > Don't know whether this is the right list, but need to ask if others
    > have
    > > the same entries in their logs for the past number of months. Let me
    > take a
    > > step back, I maintain a number of networks on different IP ranges and
    > they
    > > are all being probed by what looks like a tool, or maybe it is the same
    > > group/script. The originating computers range from open proxies to owned
    > > boxes and there are two distinct patterns I've seen so far. The
    > following
    > > scan is a recent example where the root/password from x.x.x.x: 59
    > Time(s)
    > > caught my attention the first time a while back, and still getting the
    > same
    > > scans on a daily basis:
    > >
    > > account/password from 210.245.168.28: 1 Time(s)
    > > adam/password from 210.245.168.28: 1 Time(s)
    > > adm/password from 210.245.168.28: 2 Time(s)
    > > alan/password from 210.245.168.28: 1 Time(s)
    > > apache/password from 210.245.168.28: 1 Time(s)
    > > backup/password from 210.245.168.28: 1 Time(s)
    > > cip51/password from 210.245.168.28: 1 Time(s)
    > > cip52/password from 210.245.168.28: 1 Time(s)
    > > cosmin/password from 210.245.168.28: 1 Time(s)
    > > cyrus/password from 210.245.168.28: 1 Time(s)
    > > data/password from 210.245.168.28: 1 Time(s)
    > > frank/password from 210.245.168.28: 1 Time(s)
    > > george/password from 210.245.168.28: 1 Time(s)
    > > henry/password from 210.245.168.28: 1 Time(s)
    > > horde/password from 210.245.168.28: 1 Time(s)
    > > iceuser/password from 210.245.168.28: 1 Time(s)
    > > irc/password from 210.245.168.28: 2 Time(s)
    > > jane/password from 210.245.168.28: 1 Time(s)
    > > john/password from 210.245.168.28: 1 Time(s)
    > > master/password from 210.245.168.28: 1 Time(s)
    > > matt/password from 210.245.168.28: 1 Time(s)
    > > mysql/password from 210.245.168.28: 1 Time(s)
    > > nobody/password from 210.245.168.28: 1 Time(s)
    > > noc/password from 210.245.168.28: 1 Time(s)
    > > operator/password from 210.245.168.28: 1 Time(s)
    > > oracle/password from 210.245.168.28: 1 Time(s)
    > > pamela/password from 210.245.168.28: 1 Time(s)
    > > patrick/password from 210.245.168.28: 2 Time(s)
    > > rolo/password from 210.245.168.28: 1 Time(s)
    > > root/password from 210.245.168.28: 59 Time(s)
    > > server/password from 210.245.168.28: 1 Time(s)
    > > sybase/password from 210.245.168.28: 1 Time(s)
    > > test/password from 210.245.168.28: 5 Time(s)
    > > user/password from 210.245.168.28: 3 Time(s)
    > > web/password from 210.245.168.28: 2 Time(s)
    > > webmaster/password from 210.245.168.28: 1 Time(s)
    > > www-data/password from 210.245.168.28: 1 Time(s)
    > > www/password from 210.245.168.28: 1 Time(s)
    > > wwwrun/password from 210.245.168.28: 1 Time(s)
    > >
    > > Regards,
    > > Dan
    >
    > Cheers,
    >
    > --
    > _____ __ Ú---------------------Â---------------------------¿
    > |_ _\ \ / / | Harald Nesland | email: harald@interweb.no |
    > | | \ \ /\ / / | Interweb Norge AS | t l f: +47 380 58 200 |
    > | | \ V V / | Ægirsvei 10 | f a x: +47 380 58 201 |
    > |___| \_/\_/ | 4630 Kristiansand | p g p: 0 x 43951F95 |
    > www.interweb.no À---------------------Á---------------------------Ù

  • Next message: Gerry Dalton: "Re: SSH scans..."

    Relevant Pages

    • Re: How do I block just one port from being listened to on my server
      ... Well I looked through ALL my logs; ... Well I'll be testing that Firewall out that you gave the link to. ... I just don't want it blocking everything by ... Blocking one port isn't the answer. ...
      (microsoft.public.security)
    • Re: Blocking Yahoo Messenger With Firewall??
      ... >wanting to sell a subscription service to go with the firewall. ... blocking unneeded access to sites (using a proxy ... server can help here), ... everything - try connecting to any computer in your company on port 70 ...
      (alt.computer.security)
    • Re: Cannot access Internet anymore!
      ... day and am now back in the evening (central European time) ... Firewall 'with 'protocol: TCP' when I don't try to get out. ... > applications or ad blocking/popup blocking software and cause such issues. ... > In memory of our dear friend, ...
      (microsoft.public.windowsxp.basics)
    • Re: ***Unwanted visitors
      ... you have your own firewall, check to see if the XP Firewall is also enabled. ... blocking the download. ... > Xoftspy and Spybot installed. ... Are these the likely programs blocking my ...
      (microsoft.public.windowsxp.general)
    • Re: How do I block just one port from being listened to on my server
      ... Blocking one port isn't the answer. ... Blocking these with TCP/IP filtering or IPSec ... > Those people who complain about a firewall blocking their chat would have ...
      (microsoft.public.security)