Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: SSH connection attempts in logs.

from [ChromeSilver] Network Security [Permanent Link]
Subject: Re: SSH connection attempts in logs.
Date: Thu, 27 Sep 2007 07:36:02 +0200 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dan Denton schrieb:

Well, I wouldn't lean toward anything that tries to connect on port 22 as
noise. I would verify that the src IP address isn't some legitimate attempt
to connect by an application that is simply misconfigured. If it's not
legit, block it. In that case it's most likely an attack, or it could be a
port scanner. Just my two cents.



xxx.xxx.xxx.xxx = them
yyy.yyy.yyy.yyy = me

c=262144 m=98 msg="Connection Opened" n=187596
src=xxx.xxx.xxx.xxx:32881:X1 dst=yyy.yyy.yyy.yyy:22:X1 proto=tcp/22
c=1024 m=537 msg="Connection Closed" n=139129
src=xxx.xxx.xxx.xxx:32881:X1 dst=yyy.yyy.yyy.yyy:0:X1 proto=tcp/0


Yep,

that's my guess too. It's some kind of port scanner very likely. Since
it isn't probing weak accounts (like root /w empty pw), so it cant be a
vuln scanner. But I wouldn't suggest blocking that IP, it could be a
dial-up conn. Better do a whois on that IP and then tell the ISP that
you're most likely being scanned from it. Then you could, eg. contact
that person via snailmail and let it know that there's an aware admin
online...

Grz,
ChromeSilver

- --
"If light be the brightest light...
Wherfore then doth it shadows cast?"
- -R.Rohonyi
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFG+0FCDZBprASGxfQRAmZ5AKCUOfJqIrxhlAUkrpfrMdNOHe0X+wCeL8oE
+NQu5JZ+eKqnQMlw8ZkPHvE=
=46vA
-----END PGP SIGNATURE-----
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  webdav security problem, bag
Next by Date:  Re: webdav security problem, krymson
Previous by Thread:  RE: SSH connection attempts in logs., Dan Denton
Next by Thread:  Hardware Deny?, twofish
Indexes:  [Date] [Thread] [Top] [All Lists]