Re: SSH connection attempts in logs.

[ChromeSilver <chromesilver () gmx net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dan Denton schrieb:
> Well, I wouldn't lean toward anything that tries to connect on port 22 as
> noise. I would verify that the src IP address isn't some legitimate attempt
> to connect by an application that is simply misconfigured. If it's not
> legit, block it. In that case it's most likely an attack, or it could be a
> port scanner. Just my two cents.

> xxx.xxx.xxx.xxx = them
> yyy.yyy.yyy.yyy = me
>
> c=262144 m=98 msg="Connection Opened" n=187596
> src=xxx.xxx.xxx.xxx:32881:X1 dst=yyy.yyy.yyy.yyy:22:X1 proto=tcp/22
> c=1024 m=537 msg="Connection Closed" n=139129
> src=xxx.xxx.xxx.xxx:32881:X1 dst=yyy.yyy.yyy.yyy:0:X1 proto=tcp/0

Yep,

that's my guess too. It's some kind of port scanner very likely. Since
it isn't probing weak accounts (like root /w empty pw), so it cant be a
vuln scanner. But I wouldn't suggest blocking that IP, it could be a
dial-up conn. Better do a whois on that IP and then tell the ISP that
you're most likely being scanned from it. Then you could, eg. contact
that person via snailmail and let it know that there's an aware admin
online...

Grz,
ChromeSilver

- --
"If light be the brightest light...
Wherfore then doth it shadows cast?"
- -R.Rohonyi
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFG+0FCDZBprASGxfQRAmZ5AKCUOfJqIrxhlAUkrpfrMdNOHe0X+wCeL8oE
+NQu5JZ+eKqnQMlw8ZkPHvE=
=46vA
-----END PGP SIGNATURE-----