[nsp-sec] Sudden jump in ssh slow-scan activity
Kevin Oberman
oberman at es.net
Mon Jan 18 12:38:09 EST 2010
After a long quiet period, either because there were no attempts or
because all of the bots involved had been blocked at our edge, we
started seeing a very heavy attack on our systems on Saturday. We have
seen the probes from over 2000 source IPs (all reported to Cymru for
daily reports). While the number of attempts for most user names is
small, usually between 5 and 10, 'root' gets hundreds of attempts, none
of which will ever work since we don't allow ssh to root (nor does
OpenSSH, by default).
I assume that we are not alone in being subject to these attacks. Are
others seeing them?
--
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
More information about the nsp-security
mailing list