Security Incidents mailing list archives
RE: SSH scans... another possible solution
From: "Ron Moore" <ronald.moore () transcore com>
Date: Mon, 20 Dec 2004 18:07:37 -0000
I am blocking a long list of regions of the world by assigned ip address range in iptables/netfilter. In my case 99% of these are coming from a part of the world, we dont do business in. If you can do that a lot of this will go away. Good luck, Ron
-----Original Message----- From: Harald Nesland [mailto:maillists-hn () interweb no] Sent: Monday, December 20, 2004 4:19 PM To: Dejan Markovic Cc: INCIDENTS () SECURITYFOCUS COM Subject: Re: SSH scans... Hi, You're not alone :) I'm beeing scanned too, from various ip-addresses for various users. I guess the solution is to block SSH in your firewall, and open it to your needs. Dejan Markovic wrote:Hi Guys, Don't know whether this is the right list, but need to ask if othershavethe same entries in their logs for the past number of months. Let metake astep back, I maintain a number of networks on different IP ranges andtheyare all being probed by what looks like a tool, or maybe it is the same group/script. The originating computers range from open proxies to owned boxes and there are two distinct patterns I've seen so far. Thefollowingscan is a recent example where the root/password from x.x.x.x: 59Time(s)caught my attention the first time a while back, and still getting thesamescans on a daily basis: account/password from 210.245.168.28: 1 Time(s) adam/password from 210.245.168.28: 1 Time(s) adm/password from 210.245.168.28: 2 Time(s) alan/password from 210.245.168.28: 1 Time(s) apache/password from 210.245.168.28: 1 Time(s) backup/password from 210.245.168.28: 1 Time(s) cip51/password from 210.245.168.28: 1 Time(s) cip52/password from 210.245.168.28: 1 Time(s) cosmin/password from 210.245.168.28: 1 Time(s) cyrus/password from 210.245.168.28: 1 Time(s) data/password from 210.245.168.28: 1 Time(s) frank/password from 210.245.168.28: 1 Time(s) george/password from 210.245.168.28: 1 Time(s) henry/password from 210.245.168.28: 1 Time(s) horde/password from 210.245.168.28: 1 Time(s) iceuser/password from 210.245.168.28: 1 Time(s) irc/password from 210.245.168.28: 2 Time(s) jane/password from 210.245.168.28: 1 Time(s) john/password from 210.245.168.28: 1 Time(s) master/password from 210.245.168.28: 1 Time(s) matt/password from 210.245.168.28: 1 Time(s) mysql/password from 210.245.168.28: 1 Time(s) nobody/password from 210.245.168.28: 1 Time(s) noc/password from 210.245.168.28: 1 Time(s) operator/password from 210.245.168.28: 1 Time(s) oracle/password from 210.245.168.28: 1 Time(s) pamela/password from 210.245.168.28: 1 Time(s) patrick/password from 210.245.168.28: 2 Time(s) rolo/password from 210.245.168.28: 1 Time(s) root/password from 210.245.168.28: 59 Time(s) server/password from 210.245.168.28: 1 Time(s) sybase/password from 210.245.168.28: 1 Time(s) test/password from 210.245.168.28: 5 Time(s) user/password from 210.245.168.28: 3 Time(s) web/password from 210.245.168.28: 2 Time(s) webmaster/password from 210.245.168.28: 1 Time(s) www-data/password from 210.245.168.28: 1 Time(s) www/password from 210.245.168.28: 1 Time(s) wwwrun/password from 210.245.168.28: 1 Time(s) Regards, DanCheers, -- _____ __ Ú---------------------Â---------------------------¿ |_ _\ \ / / | Harald Nesland | email: harald () interweb no | | | \ \ /\ / / | Interweb Norge AS | t l f: +47 380 58 200 | | | \ V V / | Ægirsvei 10 | f a x: +47 380 58 201 | |___| \_/\_/ | 4630 Kristiansand | p g p: 0 x 43951F95 | www.interweb.no À---------------------Á---------------------------Ù
Current thread:
- SSH scans... Dejan Markovic (Dec 20)
- Re: SSH scans... Harald Nesland (Dec 20)
- RE: SSH scans... another possible solution Ron Moore (Dec 20)
- Re: SSH scans... Dejan Markovic (Dec 20)
- Re: SSH scans... Barrie Dempster (Dec 20)
- Re: [incidents] SSH scans... Tim Kennedy (Dec 20)
- Message not available
- Re: [incidents] SSH scans... Tim Kennedy (Dec 20)
- Message not available
- Re: SSH scans... Harald Nesland (Dec 20)
- Re: SSH scans... Keith Morgan (Dec 20)
- Re: SSH scans... Gerry Dalton (Dec 20)
- Re: SSH scans... Peter Willis (Dec 20)
- Re: SSH scans... skippy1 (Dec 21)
- Re: SSH scans... Peter Willis (Dec 20)
- Re: SSH scans... Raymond Lillard (Dec 20)
- Re: SSH scans... Ben Nelson (Dec 20)