[nsp-sec] Sudden jump in ssh slow-scan activity
Steven C. Neighorn
neighorn at scnresearch.com
Mon Jan 18 13:29:09 EST 2010
[In the message entitled [nsp-sec] Sudden jump in ssh slow-scan activity , On Mon, 18 Jan 2010, Kevin Oberman wrote:]
> After a long quiet period, either because there were no attempts or
> because all of the bots involved had been blocked at our edge, we
> started seeing a very heavy attack on our systems on Saturday. We have
> seen the probes from over 2000 source IPs (all reported to Cymru for
> daily reports). While the number of attempts for most user names is
> small, usually between 5 and 10, 'root' gets hundreds of attempts, none
> of which will ever work since we don't allow ssh to root (nor does
> OpenSSH, by default).
>
> I assume that we are not alone in being subject to these attacks. Are
> others seeing them?
Ditto here. I am seeing the same methods used against 20+ networks
I am monitoring in Oregon, Washington, and Alaska. There was a major
uptick in attempts starting on Saturday. SSH probing is constant of
course, but this is an escalation of knob turning. An example from
one tiny server in Salem Oregon this morning:
Jan 18 08:42:40 sshd[11587]: [ID 702911 auth.warning] WARNING: Denied connection from 74.55.233.74 by tcp wrappers.
Jan 18 08:42:40 sshd[11583]: [ID 702911 auth.warning] WARNING: Denied connection from 74.55.233.74 by tcp wrappers.
Jan 18 08:42:40 sshd[11585]: [ID 702911 auth.warning] WARNING: Denied connection from 74.55.233.74 by tcp wrappers.
Jan 18 08:42:40 sshd[11589]: [ID 702911 auth.warning] WARNING: Denied connection from 74.55.233.74 by tcp wrappers.
Jan 18 09:27:58 sshd[26964]: [ID 702911 auth.warning] WARNING: Denied connection from 209.151.242.178 by tcp wrappers.
Jan 18 09:27:58 sshd[26966]: [ID 702911 auth.warning] WARNING: Denied connection from 209.151.242.178 by tcp wrappers.
Jan 18 09:27:58 sshd[26968]: [ID 702911 auth.warning] WARNING: Denied connection from 209.151.242.178 by tcp wrappers.
Jan 18 09:27:59 sshd[26974]: [ID 702911 auth.warning] WARNING: Denied connection from 209.151.242.178 by tcp wrappers.
>$ host 74.55.233.74
74.233.55.74.in-addr.arpa domain name pointer 4a.e9.374a.static.theplanet.com.
>$ host 209.151.242.178
178.242.151.209.in-addr.arpa domain name pointer mail.afi.com.
--
Steven C. Neighorn neighorn at scnresearch.com http://www.scnresearch.com
SCN Research, Inc. "Where we train the Star Fighters who defend the
9120 N.W. Wiley Lane frontier against Xur and the Ko-dan Armada."
Portland, Oregon 97229-8067 Voice: +1(503) 297-3039 Fax: +1(503) 297-3726
More information about the nsp-security
mailing list