Re: SSH scans...

From: Raymond Lillard (rlillard_at_sonic.net)
Date: 12/20/04

  • Next message: Peter Willis: "Re: SSH scans..." 
    Date: Mon, 20 Dec 2004 10:45:55 -0800
To: Dejan Markovic <dejanmarkovic@hotmail.com>

    Dejan Markovic wrote:
    > Hi Guys,
    >
    > Don't know whether this is the right list, but need to ask if others have
    > the same entries in their logs for the past number of months. Let me take a
    > step back, I maintain a number of networks on different IP ranges and they
    > are all being probed by what looks like a tool, or maybe it is the same
    > group/script. The originating computers range from open proxies to owned
    > boxes and there are two distinct patterns I've seen so far. The following
    > scan is a recent example where the root/password from x.x.x.x: 59 Time(s)
    > caught my attention the first time a while back, and still getting the same
    > scans on a daily basis:
    >
    > account/password from 210.245.168.28: 1 Time(s)
    > adam/password from 210.245.168.28: 1 Time(s)

    snippage ........

    Everybody is getting hit with this non-sense and anybody
    who administrates a network that is compromised by it
    should be banned from computer administration.

    This should fail for at least these reasons:

    1. "ssh" should be configured to prohibit root logins

    2. All machines should be configured to prohibit
         direct root logins except on the physical console

    3. Proper attention to passwords

    If the above is in order, you are in no danger.

    Ray

    PS I'm curious, has anybody heard of these scans
          compromising a machine, ever?

  • Next message: Peter Willis: "Re: SSH scans..."