RE: SSH scans... another possible solution

["Ron Moore" <ronald.moore () transcore com>]

I am blocking a long list of regions of the world by assigned ip address
range in iptables/netfilter.  In my case 99% of these are coming from a part
of the world, we don’t do business in.

If you can do that a lot of this will go away.

Good luck,

Ron

> -----Original Message-----
> From: Harald Nesland [mailto:maillists-hn () interweb no]
> Sent: Monday, December 20, 2004 4:19 PM
> To: Dejan Markovic
> Cc: INCIDENTS () SECURITYFOCUS COM
> Subject: Re: SSH scans...
>
> Hi,
>
> You're not alone :)
>
> I'm beeing scanned too, from various ip-addresses for various users.
>
> I guess the solution is to block SSH in your firewall, and open it to
> your needs.
>
> Dejan Markovic wrote:
> > Hi Guys,
> >
> > Don't know whether this is the right list, but need to ask if others
> have
> > the same entries in their logs for the past number of months. Let me
> take a
> > step back, I maintain a number of networks on different IP ranges and
> they
> > are all being probed by what looks like a tool, or maybe it is the same
> > group/script. The originating computers range from open proxies to owned
> > boxes and there are two distinct patterns I've seen so far. The
> following
> > scan is a recent example where the root/password from x.x.x.x: 59
> Time(s)
> > caught my attention the first time a while back, and still getting the
> same
> > scans on a daily basis:
> >
> > account/password    from 210.245.168.28: 1 Time(s)
> > adam/password    from 210.245.168.28: 1 Time(s)
> > adm/password    from 210.245.168.28: 2 Time(s)
> > alan/password    from 210.245.168.28: 1 Time(s)
> > apache/password    from 210.245.168.28: 1 Time(s)
> > backup/password    from 210.245.168.28: 1 Time(s)
> > cip51/password    from 210.245.168.28: 1 Time(s)
> > cip52/password    from 210.245.168.28: 1 Time(s)
> > cosmin/password    from 210.245.168.28: 1 Time(s)
> > cyrus/password    from 210.245.168.28: 1 Time(s)
> > data/password    from 210.245.168.28: 1 Time(s)
> > frank/password    from 210.245.168.28: 1 Time(s)
> > george/password    from 210.245.168.28: 1 Time(s)
> > henry/password    from 210.245.168.28: 1 Time(s)
> > horde/password    from 210.245.168.28: 1 Time(s)
> > iceuser/password    from 210.245.168.28: 1 Time(s)
> > irc/password    from 210.245.168.28: 2 Time(s)
> > jane/password    from 210.245.168.28: 1 Time(s)
> > john/password    from 210.245.168.28: 1 Time(s)
> > master/password    from 210.245.168.28: 1 Time(s)
> > matt/password    from 210.245.168.28: 1 Time(s)
> > mysql/password    from 210.245.168.28: 1 Time(s)
> > nobody/password    from 210.245.168.28: 1 Time(s)
> > noc/password    from 210.245.168.28: 1 Time(s)
> > operator/password    from 210.245.168.28: 1 Time(s)
> > oracle/password    from 210.245.168.28: 1 Time(s)
> > pamela/password    from 210.245.168.28: 1 Time(s)
> > patrick/password    from 210.245.168.28: 2 Time(s)
> > rolo/password    from 210.245.168.28: 1 Time(s)
> > root/password    from 210.245.168.28: 59 Time(s)
> > server/password    from 210.245.168.28: 1 Time(s)
> > sybase/password    from 210.245.168.28: 1 Time(s)
> > test/password    from 210.245.168.28: 5 Time(s)
> > user/password    from 210.245.168.28: 3 Time(s)
> > web/password    from 210.245.168.28: 2 Time(s)
> > webmaster/password    from 210.245.168.28: 1 Time(s)
> > www-data/password    from 210.245.168.28: 1 Time(s)
> > www/password    from 210.245.168.28: 1 Time(s)
> > wwwrun/password    from 210.245.168.28: 1 Time(s)
> >
> > Regards,
> > Dan
>
> Cheers,
>
> --
>    _____        __ Ú---------------------Â---------------------------¿
>   |_ _\ \      / / | Harald Nesland      | email: harald () interweb no |
>    | | \ \ /\ / /  | Interweb Norge AS   | t l f: +47 380 58 200     |
>    | |  \ V  V /   | Ægirsvei 10         | f a x: +47 380 58 201     |
>   |___|  \_/\_/    | 4630 Kristiansand   | p g p: 0 x 43951F95       |
>   www.interweb.no  À---------------------Á---------------------------Ù