[unisog] step up in SSH scanning starting today?
Nagel, Lonnie
lnagel at SFCCMO.EDU
Tue May 13 12:49:12 GMT 2008
John,
I would like to use your list as the basis for an ACL in my PIX (if it's
OK with you). Not quite sure what to make of your 'last seen' column.
Can the digits be converted to some type of date/time stamp or similar?
* Lonnie Nagel * Network Manager * State Fair Community College *
Sungard Higher Education Managed Services * 3201 W 16th Street *
* Sedalia, MO 65301 * 660-596-7314 * lnagel at sfccmo.edu *
www.sungardhe.com *
CONFIDENTIALITY: This e-mail (including any attachments) may contain
confidential, proprietary and privileged information, and unauthorized
disclosure or use is prohibited. If you received this e-mail in error,
please notify the sender and delete this e-mail from your system.
-----Original Message-----
From: unisog-bounces at lists.dshield.org
[mailto:unisog-bounces at lists.dshield.org] On Behalf Of John Ives
Sent: Monday, May 12, 2008 6:51 PM
To: UNIversity Security Operations Group
Subject: Re: [unisog] step up in SSH scanning starting today?
In the last two weeks we have had 666 (not joking about the number) IP
addresses invloved in SSH or FTP bruteforce attacks, with less than 20
of those IP addresses being FTP. We keep and publish a running list of
IP addresses along with the last time they were seen attacking the
campus. The IPs are derived from both IDS sensors and honeypots and
uses OSSEC to create a backend list of IP addresses. While my coding is
not the most elegant, it has worked well in dropping the numbers of hack
attempts to my personal machine. there is a KB article outlining the
basic premise and at
https://kb.berkeley.edu/jivekb/entry.jspa?externalID=2385&categoryID=48.
Yours,
John
Tom Perrine wrote:
> Anyone else see a significant rise in SSH dictionary attacks,
especially
> from .KR?
>
> A friend at a local ISP (CA.US) reported this morning that they
usually
> see 1-3 scans per day, but had 10 concurrent sweeps this morning with
> more sources popping up at about 1 new per hour. Most sources in
China,
> and KR, IIRC.
>
> Another site (UK) reported a similar but not quite as aggressive set
of
> new sweeps, all theirs from .KR IP space.
>
> I'm not seeing it here.
>
> What's the consensus? Isolated or major ramp-up?
>
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog
>
>
>
>
--
------------------------------------------------------------------------
-
John Ives Phone (510) 642-7773
System & Network Security Cell (510) 229-8676
University of California, Berkeley
------------------------------------------------------------------------
-
_______________________________________________
unisog mailing list
unisog at lists.dshield.org
https://lists.sans.org/mailman/listinfo/unisog
More information about the unisog
mailing list