nanog mailing list archives
Constant low-level attack
From: Lou Katz <lou () metron com>
Date: Thu, 28 Jun 2012 13:31:56 -0700
The other day, I looked carefully at my auth.log (Xubuntu 11.04) and discovered many lines of the form: Jun 28 13:13:54 localhost sshd[12654]: Bad protocol version identification '\200F\001\003\001' from 94.252.177.159 In the past day, I have recorded about 20,000 unique IP addresses used for this type of probe. I doubt if this is a surprise to anyone - my question is twofold: 1. Does anyone want this evergrowing list of, I assume, compromised machines? 2. Is there anything useful to do with this info other than put the IP addresses into a firewall reject table? I have done that and do see a certain amount of repeat hits. -=[L]=- --
Current thread:
- Constant low-level attack Lou Katz (Jun 28)
- Re: Constant low-level attack TR Shaw (Jun 28)
- Re: Constant low-level attack Alain Hebert (Jun 29)
- Re: Constant low-level attack Denys Fedoryshchenko (Jun 28)
- Re: Constant low-level attack Rich Kulawiec (Jun 29)
- Re: Constant low-level attack TR Shaw (Jun 28)