Re: SSH scans...

[Peter Willis <psyphreak () phreaker net>]

Maybe this is a dumb question, but why not set up a honeynet or an IDS 
like snort and block addresses or networks as they begin scanning? Less 
administration needed and you don't have to block ranges larger than 
necessary...

Also, I threw together a little C app and script which will quickly find 
passwords commonly used in brute force attacks. You may be able to use 
it with cron to locate users with easily-guessed passwords and reset 
them so brute force attacks aren't as successful. 
http://freshmeat.net/p/dumbass/

Gerry Dalton wrote:

> I have seen similar probes over the last 2 months.  Most all have been from APNIC address blocks.  I got so tired of 
> some of it I just went ahead and blocked a full range of addresses from getting past our border routers.
>
> So far these have just been a nuisance.
>
> Gerry
>
>
>
> At 09:21 AM 12/20/2004, Dejan Markovic wrote:
>
>  
>
> > Hi Guys,
> >
> > Don't know whether this is the right list, but need to ask if others have
> > the same entries in their logs for the past number of months. Let me take a
> > step back, I maintain a number of networks on different IP ranges and they
> > are all being probed by what looks like a tool, or maybe it is the same
> > group/script. The originating computers range from open proxies to owned
> > boxes and there are two distinct patterns I've seen so far. The following
> > scan is a recent example where the root/password from x.x.x.x: 59 Time(s)
> > caught my attention the first time a while back, and still getting the same
> > scans on a daily basis:
> >
> > account/password    from 210.245.168.28: 1 Time(s)
> > adam/password    from 210.245.168.28: 1 Time(s)
> > adm/password    from 210.245.168.28: 2 Time(s)
> > alan/password    from 210.245.168.28: 1 Time(s)
> > apache/password    from 210.245.168.28: 1 Time(s)
> > backup/password    from 210.245.168.28: 1 Time(s)
> > cip51/password    from 210.245.168.28: 1 Time(s)
> > cip52/password    from 210.245.168.28: 1 Time(s)
> > cosmin/password    from 210.245.168.28: 1 Time(s)
> > cyrus/password    from 210.245.168.28: 1 Time(s)
> > data/password    from 210.245.168.28: 1 Time(s)
> > frank/password    from 210.245.168.28: 1 Time(s)
> > george/password    from 210.245.168.28: 1 Time(s)
> > henry/password    from 210.245.168.28: 1 Time(s)
> > horde/password    from 210.245.168.28: 1 Time(s)
> > iceuser/password    from 210.245.168.28: 1 Time(s)
> > irc/password    from 210.245.168.28: 2 Time(s)
> > jane/password    from 210.245.168.28: 1 Time(s)
> > john/password    from 210.245.168.28: 1 Time(s)
> > master/password    from 210.245.168.28: 1 Time(s)
> > matt/password    from 210.245.168.28: 1 Time(s)
> > mysql/password    from 210.245.168.28: 1 Time(s)
> > nobody/password    from 210.245.168.28: 1 Time(s)
> > noc/password    from 210.245.168.28: 1 Time(s)
> > operator/password    from 210.245.168.28: 1 Time(s)
> > oracle/password    from 210.245.168.28: 1 Time(s)
> > pamela/password    from 210.245.168.28: 1 Time(s)
> > patrick/password    from 210.245.168.28: 2 Time(s)
> > rolo/password    from 210.245.168.28: 1 Time(s)
> > root/password    from 210.245.168.28: 59 Time(s)
> > server/password    from 210.245.168.28: 1 Time(s)
> > sybase/password    from 210.245.168.28: 1 Time(s)
> > test/password    from 210.245.168.28: 5 Time(s)
> > user/password    from 210.245.168.28: 3 Time(s)
> > web/password    from 210.245.168.28: 2 Time(s)
> > webmaster/password    from 210.245.168.28: 1 Time(s)
> > www-data/password    from 210.245.168.28: 1 Time(s)
> > www/password    from 210.245.168.28: 1 Time(s)
> > wwwrun/password    from 210.245.168.28: 1 Time(s)
> >
> > Regards,
> > Dan
> >    
>
>