[TriLUG] SSH Probing...

JoJo Almario jalmario at intrah.org
Wed Mar 13 09:27:12 EST 2002


I have already had an ssh attack on one of my servers.  What are you
using to spot this? How can I prevent ssh attacks besides turning off
protocol 1 and disallowing root logon for ssh.

JoJo

-----Original Message-----
From: trilug-admin at trilug.org [mailto:trilug-admin at trilug.org] On Behalf
Of Steve
Sent: Wednesday, March 13, 2002 8:27 AM
To: trilug at trilug.org
Subject: [TriLUG] SSH Probing...

Don't know if any of you have noticed this or not, but over the last few
months
I have started to get hackers probing my SSH port on my Linux box on my
cable
modem.  There must be some kind of SSH exploit that they are looking
for..

Mar 12 01:34:00 linux sshd[26174]: scanned from 208.63.48.13 with
SSH-1.0-SSH_Version_Mapper.  Don't panic.
Mar 12 01:34:01 linux sshd[26173]: Did not receive identification string
from
208.63.48.13.
Mar 12 02:16:49 linux sshd[26231]: Did not receive identification string
from
63.96.15.7.
Mar 12 04:58:45 linux sshd[26772]: scanned from 212.180.37.138 with
SSH-1.0-SSH_Version_Mapper.  Don't panic.
Mar 12 04:58:45 linux sshd[26771]: Did not receive identification string
from
212.180.37.138.

I'm going to start making a list of the IP's and denying any incoming
traffic
from them.  Although I doubt that this will help much....

(I'm still getting lots of "Code Red" probes, but that doesn't bother
Apache...)

-- 
Steve Kuekes

Private Pilot: N9259R '95 Saratoga based at Sanford-Lee County Regional
(TTA)
email: skuekes at nc.rr.com
_______________________________________________
TriLUG mailing list
    http://www.trilug.org/mailman/listinfo/trilug
TriLUG Organizational FAQ:
    http://www.trilug.org/~lovelace/faq/TriLUG-faq.html




More information about the TriLUG mailing list