RE: SSH scans... another possible solution

From: Ron Moore (ronald.moore_at_transcore.com)
Date: 12/20/04

  • Next message: Gerry Dalton: "Re: SSH scans..."
    To: <harald@interweb.no>, "'Dejan Markovic'" <dejanmarkovic@hotmail.com>
    Date: Mon, 20 Dec 2004 18:07:37 -0000
    
    

    I am blocking a long list of regions of the world by assigned ip address
    range in iptables/netfilter. In my case 99% of these are coming from a part
    of the world, we donĺt do business in.

    If you can do that a lot of this will go away.

    Good luck,

    Ron

    > -----Original Message-----
    > From: Harald Nesland [mailto:maillists-hn@interweb.no]
    > Sent: Monday, December 20, 2004 4:19 PM
    > To: Dejan Markovic
    > Cc: INCIDENTS@SECURITYFOCUS.COM
    > Subject: Re: SSH scans...
    >
    > Hi,
    >
    > You're not alone :)
    >
    > I'm beeing scanned too, from various ip-addresses for various users.
    >
    > I guess the solution is to block SSH in your firewall, and open it to
    > your needs.
    >
    > Dejan Markovic wrote:
    > > Hi Guys,
    > >
    > > Don't know whether this is the right list, but need to ask if others
    > have
    > > the same entries in their logs for the past number of months. Let me
    > take a
    > > step back, I maintain a number of networks on different IP ranges and
    > they
    > > are all being probed by what looks like a tool, or maybe it is the same
    > > group/script. The originating computers range from open proxies to owned
    > > boxes and there are two distinct patterns I've seen so far. The
    > following
    > > scan is a recent example where the root/password from x.x.x.x: 59
    > Time(s)
    > > caught my attention the first time a while back, and still getting the
    > same
    > > scans on a daily basis:
    > >
    > > account/password from 210.245.168.28: 1 Time(s)
    > > adam/password from 210.245.168.28: 1 Time(s)
    > > adm/password from 210.245.168.28: 2 Time(s)
    > > alan/password from 210.245.168.28: 1 Time(s)
    > > apache/password from 210.245.168.28: 1 Time(s)
    > > backup/password from 210.245.168.28: 1 Time(s)
    > > cip51/password from 210.245.168.28: 1 Time(s)
    > > cip52/password from 210.245.168.28: 1 Time(s)
    > > cosmin/password from 210.245.168.28: 1 Time(s)
    > > cyrus/password from 210.245.168.28: 1 Time(s)
    > > data/password from 210.245.168.28: 1 Time(s)
    > > frank/password from 210.245.168.28: 1 Time(s)
    > > george/password from 210.245.168.28: 1 Time(s)
    > > henry/password from 210.245.168.28: 1 Time(s)
    > > horde/password from 210.245.168.28: 1 Time(s)
    > > iceuser/password from 210.245.168.28: 1 Time(s)
    > > irc/password from 210.245.168.28: 2 Time(s)
    > > jane/password from 210.245.168.28: 1 Time(s)
    > > john/password from 210.245.168.28: 1 Time(s)
    > > master/password from 210.245.168.28: 1 Time(s)
    > > matt/password from 210.245.168.28: 1 Time(s)
    > > mysql/password from 210.245.168.28: 1 Time(s)
    > > nobody/password from 210.245.168.28: 1 Time(s)
    > > noc/password from 210.245.168.28: 1 Time(s)
    > > operator/password from 210.245.168.28: 1 Time(s)
    > > oracle/password from 210.245.168.28: 1 Time(s)
    > > pamela/password from 210.245.168.28: 1 Time(s)
    > > patrick/password from 210.245.168.28: 2 Time(s)
    > > rolo/password from 210.245.168.28: 1 Time(s)
    > > root/password from 210.245.168.28: 59 Time(s)
    > > server/password from 210.245.168.28: 1 Time(s)
    > > sybase/password from 210.245.168.28: 1 Time(s)
    > > test/password from 210.245.168.28: 5 Time(s)
    > > user/password from 210.245.168.28: 3 Time(s)
    > > web/password from 210.245.168.28: 2 Time(s)
    > > webmaster/password from 210.245.168.28: 1 Time(s)
    > > www-data/password from 210.245.168.28: 1 Time(s)
    > > www/password from 210.245.168.28: 1 Time(s)
    > > wwwrun/password from 210.245.168.28: 1 Time(s)
    > >
    > > Regards,
    > > Dan
    >
    > Cheers,
    >
    > --
    > _____ __ ┌---------------------┬---------------------------┐
    > |_ _\ \ / / | Harald Nesland | email: harald@interweb.no |
    > | | \ \ /\ / / | Interweb Norge AS | t l f: +47 380 58 200 |
    > | | \ V V / | Ăgirsvei 10 | f a x: +47 380 58 201 |
    > |___| \_/\_/ | 4630 Kristiansand | p g p: 0 x 43951F95 |
    > www.interweb.no └---------------------┴---------------------------┘


  • Next message: Gerry Dalton: "Re: SSH scans..."