Re: SSH scans...

["Dejan Markovic" <dejanmarkovic () hotmail com>]

Hi Paulo,

Just replied to Brian, he wrote a code called timelox, it's been posted on
the list, I'll check it out later when I get a chance, but seems to do just
that. Talk to you later. Thanks,

Regards,
Dan

----- Original Message ----- 
From: "nixsec" <nixsec () area66 org>
To: "Dejan Markovic" <dejanmarkovic () hotmail com>
Cc: <INCIDENTS () securityfocus com>
Sent: Tuesday, December 21, 2004 5:46 PM
Subject: Re: SSH scans...


I have gotten these attacks before and did some research on it, its a
SSH bruteforce  program released a few months ago that can be located at:
http://www.k-otik.com/exploits/08202004.brutessh2.c.php

Something that would be nice is some feature in ssh that would only
allow 3 login atempts from 1 IP, if they get it wrong 3 times to
automaticly block any connections from that ip.

Paulo Ferreira.



Dejan Markovic wrote:

> Hi Guys,
>
> Don't know whether this is the right list, but need to ask if others have
> the same entries in their logs for the past number of months. Let me take a
> step back, I maintain a number of networks on different IP ranges and they
> are all being probed by what looks like a tool, or maybe it is the same
> group/script. The originating computers range from open proxies to owned
> boxes and there are two distinct patterns I've seen so far. The following
> scan is a recent example where the root/password from x.x.x.x: 59 Time(s)
> caught my attention the first time a while back, and still getting the same
> scans on a daily basis:
>
> account/password    from 210.245.168.28: 1 Time(s)
> adam/password    from 210.245.168.28: 1 Time(s)
> adm/password    from 210.245.168.28: 2 Time(s)
> alan/password    from 210.245.168.28: 1 Time(s)
> apache/password    from 210.245.168.28: 1 Time(s)
> backup/password    from 210.245.168.28: 1 Time(s)
> cip51/password    from 210.245.168.28: 1 Time(s)
> cip52/password    from 210.245.168.28: 1 Time(s)
> cosmin/password    from 210.245.168.28: 1 Time(s)
> cyrus/password    from 210.245.168.28: 1 Time(s)
> data/password    from 210.245.168.28: 1 Time(s)
> frank/password    from 210.245.168.28: 1 Time(s)
> george/password    from 210.245.168.28: 1 Time(s)
> henry/password    from 210.245.168.28: 1 Time(s)
> horde/password    from 210.245.168.28: 1 Time(s)
> iceuser/password    from 210.245.168.28: 1 Time(s)
> irc/password    from 210.245.168.28: 2 Time(s)
> jane/password    from 210.245.168.28: 1 Time(s)
> john/password    from 210.245.168.28: 1 Time(s)
> master/password    from 210.245.168.28: 1 Time(s)
> matt/password    from 210.245.168.28: 1 Time(s)
> mysql/password    from 210.245.168.28: 1 Time(s)
> nobody/password    from 210.245.168.28: 1 Time(s)
> noc/password    from 210.245.168.28: 1 Time(s)
> operator/password    from 210.245.168.28: 1 Time(s)
> oracle/password    from 210.245.168.28: 1 Time(s)
> pamela/password    from 210.245.168.28: 1 Time(s)
> patrick/password    from 210.245.168.28: 2 Time(s)
> rolo/password    from 210.245.168.28: 1 Time(s)
> root/password    from 210.245.168.28: 59 Time(s)
> server/password    from 210.245.168.28: 1 Time(s)
> sybase/password    from 210.245.168.28: 1 Time(s)
> test/password    from 210.245.168.28: 5 Time(s)
> user/password    from 210.245.168.28: 3 Time(s)
> web/password    from 210.245.168.28: 2 Time(s)
> webmaster/password    from 210.245.168.28: 1 Time(s)
> www-data/password    from 210.245.168.28: 1 Time(s)
> www/password    from 210.245.168.28: 1 Time(s)
> wwwrun/password    from 210.245.168.28: 1 Time(s)
>
> Regards,
> Dan