Educause Security Discussion mailing list archives

Re: Uptick in SSH attempts; anyone else ?

From: "Lorenz, Eva" <evalorenz () UNC EDU>
Date: Mon, 18 Jan 2010 14:18:35 -0500

We had an increased number of SSH attempts over the weekend, starting late Friday night.
Fri to Sat IPs from European countries, a lot of German IPs, then also some US, China, Brazil and Russia
Sat to Sunday Germany, Russia and Brazil

 - Eva

________________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Andrew Daviel 
[advax () TRIUMF CA]
Sent: Monday, January 18, 2010 2:16 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Uptick in SSH attempts; anyone else ?

We monitor and block attempts to brute-force SSH logins.
Usually we block a few a day, with at most about 60.

Over the weekend we had a spike of over 500. I.e. 500 separate source addresses
trying to login to multiple accounts/machines using 1000 different IDs.

Anyone else seen this, or is it just us ?

(BTW, my previous collection of attempted ID/passwords - from a hacked
sshd - is at http://andrew.triumf.ca/ssh_pass_file2.html )

--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376  (Pacific Time)
Network Security Manager

Current thread:

Uptick in SSH attempts; anyone else ? Andrew Daviel (Jan 18)
- <Possible follow-ups>
- Re: Uptick in SSH attempts; anyone else ? Lorenz, Eva (Jan 18)
- Re: Uptick in SSH attempts; anyone else ? Ken Connelly (Jan 18)
- Re: Uptick in SSH attempts; anyone else ? Anthony Maszeroski (Jan 18)