Security Incidents mailing list archives

Re: SSH probe attack afoot?

From: Stephen Warren <swarren () wwwdotorg org>
Date: Mon, 07 Feb 2005 16:55:50 -0700

On 6 Feb 2005, at 15:09, Bernie Cosell wrote:

We're now getting hammered with the third round of ssh probes in the last
four days [one from CA, one from Brazil and one from Virginia].  I was
wondering: is there some virus or the like floating around now that
leaves an ssh-hammering zombie in its wake?  Or is it just coincidental
that we have gotten three floods?


I got fed up with seeing this kind of thing in my logs.

So, I switched SSH to a non-default port, and it all went away:-)

Sometimes, security through obscurity is very useful. Now at least Ihave a small SSHD logfile, so I'll pay more attention to it if somethingshows up in it.

Of course, depending on your user-base, you might have to spend a lot oftime on user-education after this change.

Current thread:

SSH probe attack afoot? Bernie Cosell (Feb 07)
- Re: SSH probe attack afoot? Martin Sarsale (Feb 07)
  - Re: SSH probe attack afoot? Steve Bonds (Feb 07)
  - Re: SSH probe attack afoot? Steven Harrison (Feb 07)
- Re: SSH probe attack afoot? xyberpix (Feb 07)
  - Re: SSH probe attack afoot? Stephen Warren (Feb 08)
    - Re: SSH probe attack afoot? j () 65535 com (Feb 08)
- Re: SSH probe attack afoot? Barrie Dempster (Feb 07)
- Re: SSH probe attack afoot? j lake (Feb 08)
- Re: SSH probe attack afoot? Jeffrey Goldberg (Feb 12)
  - Re: SSH probe attack afoot? Stephen J. Smoogen (Feb 12)
  - Re: SSH probe attack afoot? Jeffrey Goldberg (Feb 16)
- <Possible follow-ups>
- Re: SSH probe attack afoot? Joe Egloff (Feb 07)
  - Re: SSH probe attack afoot? naverxp (Feb 08)
    - Re: SSH probe attack afoot? Tim (Feb 08)
  - Re: SSH probe attack afoot? Frank Knobbe (Feb 08)

(Thread continues...)