Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: significant incoming SSH volume

From: Mike Iglesias <iglesias () UCI EDU>
Date: Tue, 16 Mar 2010 13:46:50 -0700
On 03/16/2010 01:07 PM, Justin Sipher wrote:

Hello all.  We have seen a drastic uptick in recent days for inbound SSH
connections to many of our servers.  These connection are attempting to
connect to our servers as ROOT and are coming from IP addressed
appearing to be mostly overseas.  They number in the thousands of
connections.  While we are confident in the strength of our passwords,
as you know with enough effort.......

My questions to this group are:

    * Is anyone else seeing this?


About once a month we get hit by ~700 different IPs probing systems with port
22 open.




    * Are you doing anything to address this?  We are contemplating
      blocking SSH inbound on our firewall and requiring any external
      SSH connection to first connect to our VPN.  In some ways it seems
      excessive and maybe even unsustainable.  On the other hand,
      protecting our servers is important as you well know.


We block all inbound traffic except to systems registered as servers, so there
are a limited number of systems with port 22 exposed.


--
Mike Iglesias                          Email:       iglesias () uci edu
University of California, Irvine       phone:       949-824-6926
Office of Information Technology       FAX:         949-824-2270
Previous By Date Next
Previous By Thread Next

Current thread: