nanog mailing list archives
Re: Constant low-level attack
From: TR Shaw <tshaw () oitc com>
Date: Thu, 28 Jun 2012 17:52:36 -0400
On Jun 28, 2012, at 4:31 PM, Lou Katz wrote:
The other day, I looked carefully at my auth.log (Xubuntu 11.04) and discovered many lines
of the form:
Jun 28 13:13:54 localhost sshd[12654]: Bad protocol version identification '\200F\001\003\001' from
94.252.177.159
In the past day, I have recorded about 20,000 unique IP addresses used for this type of probe.
I doubt if this is a surprise to anyone - my question is twofold:
1. Does anyone want this evergrowing list of, I assume, compromised machines?
2. Is there anything useful to do with this info other than put the IP addresses into a firewall reject table? I have
done
that and do see a certain amount of repeat hits.
Just a note that if you were running fail2ban.org you would get automatic updates of your firewall and share the IPs with the community and get the advantage of the communities detections as well.
Current thread:
- Constant low-level attack Lou Katz (Jun 28)
- Re: Constant low-level attack TR Shaw (Jun 28)
- Re: Constant low-level attack Alain Hebert (Jun 29)
- Re: Constant low-level attack Denys Fedoryshchenko (Jun 28)
- Re: Constant low-level attack Rich Kulawiec (Jun 29)
- Re: Constant low-level attack TR Shaw (Jun 28)