nanog mailing list archives

Re: Constant low-level attack

From: Denys Fedoryshchenko <denys () visp net lb>
Date: Fri, 29 Jun 2012 00:53:56 +0300

On 2012-06-28 23:31, Lou Katz wrote:

The other day, I looked carefully at my auth.log (Xubuntu 11.04) and
discovered many lines
of the form:

      Jun 28 13:13:54 localhost sshd[12654]: Bad protocol version
identification '\200F\001\003\001' from 94.252.177.159

In the past day, I have recorded about 20,000 unique IP addresses
used for this type of probe.
I doubt if this is a surprise to anyone - my question is twofold:

1. Does anyone want this evergrowing list of, I assume, compromisedmachines?

2. Is there anything useful to do with this info other than put the
IP addresses into a firewall reject table? I have done
   that and do see a certain amount of repeat hits.

-=[L]=-

You can use fail2ban to block bruteforcing hosts automatically and evenreport to your mail their whois info

http://www.fail2ban.org/

---
Denys Fedoryshchenko, Network Engineer, Virtual ISP S.A.L.

Current thread:

Constant low-level attack Lou Katz (Jun 28)
- Re: Constant low-level attack TR Shaw (Jun 28)
  - Re: Constant low-level attack Alain Hebert (Jun 29)
- Re: Constant low-level attack Denys Fedoryshchenko (Jun 28)
- Re: Constant low-level attack Rich Kulawiec (Jun 29)