Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SSH scans...

From: Raymond Lillard <rlillard () sonic net>
Date: Mon, 20 Dec 2004 10:45:55 -0800
Dejan Markovic wrote:

Hi Guys,

Don't know whether this is the right list, but need to ask if others have
the same entries in their logs for the past number of months. Let me take a
step back, I maintain a number of networks on different IP ranges and they
are all being probed by what looks like a tool, or maybe it is the same
group/script. The originating computers range from open proxies to owned
boxes and there are two distinct patterns I've seen so far. The following
scan is a recent example where the root/password from x.x.x.x: 59 Time(s)
caught my attention the first time a while back, and still getting the same
scans on a daily basis:

account/password    from 210.245.168.28: 1 Time(s)
adam/password    from 210.245.168.28: 1 Time(s)


snippage ........

Everybody is getting hit with this non-sense and anybody
who administrates a network that is compromised by it
should be banned from computer administration.

This should fail for at least these reasons:

1.  "ssh" should be configured to prohibit root logins

2.  All machines should be configured to prohibit
    direct root logins except on the physical console

3.  Proper attention to passwords

If the above is in order, you are in no danger.

Ray

PS   I'm curious, has anybody heard of these scans
     compromising a machine, ever?
Previous By Date Next
Previous By Thread Next

Current thread: