Re: Internet SSH scans

[Matt Rae <raema () osuosl org>]

Hi, I don't think there is much to worry about these scans. Its more
annoying than anything to have your logs full of brute force ssh
attempts. One of my colleagues wrote and has had success with iptables
rules to keep the log spam to a minimum.

The rules track ssh new ssh connections. If there have been 5
connections from a single host in the past 60 seconds then the
connection is dropped. Theoretically a worm could wait and attempt
connecting again, but they don't seem to.

iptables -A INPUT -i $EXTERNAL -p tcp --dport 22 -m conntrack --ctstate
NEW -m recent --set --name sshscans
iptables -A INPUT -m recent --rcheck --seconds 60 --hitcount 5 --name
sshscans --rsource -j DROP


Alexandre H wrote:
> Hi,
>
> I've witnessed what I think is an increase in SSH scans over the
> Internet in the past four or five weeks. The scan seems to originate
> from various countries around the globe which makes me think of it to be
> a worm-like spreading virus searching for vulnerable systems running the
> SSH service. I confirmed the attack with a friend of mine who also
> happens to run a SSH server at home. We both live in Montreal, QC,
> Canada and are using the same ISP.

-- 
Matt Rae
Open Source Lab
Oregon State University

Attachment: signature.asc
Description: OpenPGP digital signature