Security Incidents mailing list archives
Re: Internet SSH scans
From: Matt Rae <raema () osuosl org>
Date: Fri, 03 Mar 2006 16:18:53 -0800
Hi, I don't think there is much to worry about these scans. Its more annoying than anything to have your logs full of brute force ssh attempts. One of my colleagues wrote and has had success with iptables rules to keep the log spam to a minimum. The rules track ssh new ssh connections. If there have been 5 connections from a single host in the past 60 seconds then the connection is dropped. Theoretically a worm could wait and attempt connecting again, but they don't seem to. iptables -A INPUT -i $EXTERNAL -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name sshscans iptables -A INPUT -m recent --rcheck --seconds 60 --hitcount 5 --name sshscans --rsource -j DROP Alexandre H wrote:
Hi, I've witnessed what I think is an increase in SSH scans over the Internet in the past four or five weeks. The scan seems to originate from various countries around the globe which makes me think of it to be a worm-like spreading virus searching for vulnerable systems running the SSH service. I confirmed the attack with a friend of mine who also happens to run a SSH server at home. We both live in Montreal, QC, Canada and are using the same ISP.
-- Matt Rae Open Source Lab Oregon State University
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Internet SSH scans Alexandre H (Mar 02)
- RE: Internet SSH scans Tom Frerichs (Mar 02)
- RE: Internet SSH scans terry white (Mar 03)
- Re: Internet SSH scans Jonathan Nichols (Mar 03)
- RE: Internet SSH scans terry white (Mar 03)
- Re: Internet SSH scans Skip Carter (Mar 03)
- Re: Internet SSH scans Daniel Cid (Mar 03)
- Message not available
- Re: Internet SSH scans Jamie Riden (Mar 03)
- RE: Internet SSH scans Tom Frerichs (Mar 02)
- Re: Internet SSH scans Matt Rae (Mar 03)
- Re: Internet SSH scans Hugo J. Curti (Mar 06)
- <Possible follow-ups>
- RE: Internet SSH scans steve (Mar 02)
- RE: Internet SSH scans Peter Bassill (Mar 03)
- Re: RE: Internet SSH scans admin (Mar 03)
- Re: RE: Internet SSH scans Daxomatic (Mar 03)
- Re: RE: Internet SSH scans Christine Kronberg (Mar 03)
- Re: Internet SSH scans JK Adams (Mar 03)
- Re: RE: Internet SSH scans joakim . berge (Mar 03)
- Re: Re: RE: Internet SSH scans mrbits (Mar 03)
- RE: Internet SSH scans Adriano Carvalho (Mar 21)