Firewall Wizards mailing list archives

Re: SSH brute force attack

From: David Ross <David.Ross () isrc qut edu au>
Date: Sun, 03 Jul 2005 21:37:43 +0000

Toderick, Lee W wrote:

Our computers running SSH daemons have logged attacks. The attacks begin
with a scan logged "Did not receive identification string from x.x.x.x",
followed approximately 15 minutes later with "Illegal user " or " Failed

password for root".

Does anyone have information or documentation about this scan/attack?


I see it daily - and usually ignore it.

Sometimes I filter the address blocks if they belong to ISPs incountries that I am unlikely to visit (and hence ssh from).

That keeps the logs manageable.

--
David Ross
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

RE: SSH brute force attack Paul Melson (Jul 01)
- <Possible follow-ups>
- Re: SSH brute force attack Mark Tinberg (Jul 01)
- RE: SSH brute force attack Mathew Want (Jul 01)
- Re: SSH brute force attack David Ross (Jul 05)
  - Re: SSH brute force attack Marko Jakovljevic (Jul 06)
- RE: SSH brute force attack Mark Ness (Jul 18)
- Re: RE: SSH brute force attack Mark Ness (Jul 21)
  - Re: RE: SSH brute force attack Christine Kronberg (Jul 21)