I am blocking a long list of regions of the world by assigned ip address
range in iptables/netfilter. In my case 99% of these are coming from a part
of the world, we don?t do business in.
If you can do that a lot of this will go away.
Good luck,
Ron
-----Original Message-----
From: Harald Nesland [mailto:maillists-hn@interweb.no]
Sent: Monday, December 20, 2004 4:19 PM
To: Dejan Markovic
Cc: INCIDENTS@SECURITYFOCUS.COM
Subject: Re: SSH scans...
Hi,
You're not alone :)
I'm beeing scanned too, from various ip-addresses for various users.
I guess the solution is to block SSH in your firewall, and open it to
your needs.
Dejan Markovic wrote:
Hi Guys,
Don't know whether this is the right list, but need to ask if others
have
the same entries in their logs for the past number of months. Let me
take a
step back, I maintain a number of networks on different IP ranges and
they
are all being probed by what looks like a tool, or maybe it is the same
group/script. The originating computers range from open proxies to owned
boxes and there are two distinct patterns I've seen so far. The
following
scan is a recent example where the root/password from x.x.x.x: 59
Time(s)
caught my attention the first time a while back, and still getting the
same
scans on a daily basis:
account/password from 210.245.168.28: 1 Time(s)
adam/password from 210.245.168.28: 1 Time(s)
adm/password from 210.245.168.28: 2 Time(s)
alan/password from 210.245.168.28: 1 Time(s)
apache/password from 210.245.168.28: 1 Time(s)
backup/password from 210.245.168.28: 1 Time(s)
cip51/password from 210.245.168.28: 1 Time(s)
cip52/password from 210.245.168.28: 1 Time(s)
cosmin/password from 210.245.168.28: 1 Time(s)
cyrus/password from 210.245.168.28: 1 Time(s)
data/password from 210.245.168.28: 1 Time(s)
frank/password from 210.245.168.28: 1 Time(s)
george/password from 210.245.168.28: 1 Time(s)
henry/password from 210.245.168.28: 1 Time(s)
horde/password from 210.245.168.28: 1 Time(s)
iceuser/password from 210.245.168.28: 1 Time(s)
irc/password from 210.245.168.28: 2 Time(s)
jane/password from 210.245.168.28: 1 Time(s)
john/password from 210.245.168.28: 1 Time(s)
master/password from 210.245.168.28: 1 Time(s)
matt/password from 210.245.168.28: 1 Time(s)
mysql/password from 210.245.168.28: 1 Time(s)
nobody/password from 210.245.168.28: 1 Time(s)
noc/password from 210.245.168.28: 1 Time(s)
operator/password from 210.245.168.28: 1 Time(s)
oracle/password from 210.245.168.28: 1 Time(s)
pamela/password from 210.245.168.28: 1 Time(s)
patrick/password from 210.245.168.28: 2 Time(s)
rolo/password from 210.245.168.28: 1 Time(s)
root/password from 210.245.168.28: 59 Time(s)
server/password from 210.245.168.28: 1 Time(s)
sybase/password from 210.245.168.28: 1 Time(s)
test/password from 210.245.168.28: 5 Time(s)
user/password from 210.245.168.28: 3 Time(s)
web/password from 210.245.168.28: 2 Time(s)
webmaster/password from 210.245.168.28: 1 Time(s)
www-data/password from 210.245.168.28: 1 Time(s)
www/password from 210.245.168.28: 1 Time(s)
wwwrun/password from 210.245.168.28: 1 Time(s)
Regards,
Dan
Cheers,
--
_____ __ Ú---------------------Â---------------------------¿
|_ _\ \ / / | Harald Nesland | email: harald@interweb.no |
| | \ \ /\ / / | Interweb Norge AS | t l f: +47 380 58 200 |
| | \ V V / | Ægirsvei 10 | f a x: +47 380 58 201 |
|___| \_/\_/ | 4630 Kristiansand | p g p: 0 x 43951F95 |
www.interweb.no À---------------------Á---------------------------Ù
