Security Basics mailing list archives
Re: SSH connection attempts in logs.
From: ChromeSilver <chromesilver () gmx net>
Date: Thu, 27 Sep 2007 07:36:02 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dan Denton schrieb:
Well, I wouldn't lean toward anything that tries to connect on port 22 as noise. I would verify that the src IP address isn't some legitimate attempt to connect by an application that is simply misconfigured. If it's not legit, block it. In that case it's most likely an attack, or it could be a port scanner. Just my two cents.
xxx.xxx.xxx.xxx = them yyy.yyy.yyy.yyy = me c=262144 m=98 msg="Connection Opened" n=187596 src=xxx.xxx.xxx.xxx:32881:X1 dst=yyy.yyy.yyy.yyy:22:X1 proto=tcp/22 c=1024 m=537 msg="Connection Closed" n=139129 src=xxx.xxx.xxx.xxx:32881:X1 dst=yyy.yyy.yyy.yyy:0:X1 proto=tcp/0
Yep, that's my guess too. It's some kind of port scanner very likely. Since it isn't probing weak accounts (like root /w empty pw), so it cant be a vuln scanner. But I wouldn't suggest blocking that IP, it could be a dial-up conn. Better do a whois on that IP and then tell the ISP that you're most likely being scanned from it. Then you could, eg. contact that person via snailmail and let it know that there's an aware admin online... Grz, ChromeSilver - -- "If light be the brightest light... Wherfore then doth it shadows cast?" - -R.Rohonyi -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) iD8DBQFG+0FCDZBprASGxfQRAmZ5AKCUOfJqIrxhlAUkrpfrMdNOHe0X+wCeL8oE +NQu5JZ+eKqnQMlw8ZkPHvE= =46vA -----END PGP SIGNATURE-----
Current thread:
- SSH connection attempts in logs. Nick Vaernhoej (Sep 25)
- RE: SSH connection attempts in logs. Dan Denton (Sep 25)
- Re: SSH connection attempts in logs. ChromeSilver (Sep 27)
- RE: SSH connection attempts in logs. Dan Denton (Sep 25)