[unisog] step up in SSH scanning starting today?

Nagel, Lonnie lnagel at SFCCMO.EDU
Tue May 13 12:49:12 GMT 2008


I would like to use your list as the basis for an ACL in my PIX (if it's
OK with you).  Not quite sure what to make of your 'last seen' column.
Can the digits be converted to some type of date/time stamp or similar?

* Lonnie Nagel * Network Manager * State Fair Community College *
Sungard Higher Education Managed Services * 3201 W 16th Street *
* Sedalia, MO  65301 * 660-596-7314 * lnagel at sfccmo.edu *
www.sungardhe.com *
CONFIDENTIALITY: This e-mail (including any attachments) may contain
confidential, proprietary and privileged information, and unauthorized
disclosure or use is prohibited. If you received this e-mail in error,
please notify the sender and delete this e-mail from your system.
-----Original Message-----
From: unisog-bounces at lists.dshield.org
[mailto:unisog-bounces at lists.dshield.org] On Behalf Of John Ives
Sent: Monday, May 12, 2008 6:51 PM
To: UNIversity Security Operations Group
Subject: Re: [unisog] step up in SSH scanning starting today?

In the last two weeks we have had 666 (not joking about the number) IP 
addresses invloved in SSH or FTP bruteforce attacks, with less than 20 
of those IP addresses being FTP.  We keep and publish a running list of 
IP addresses along with the last time they were seen attacking the 
campus.  The IPs are derived from both IDS sensors and honeypots and 
uses OSSEC to create a backend list of IP addresses.  While my coding is

not the most elegant, it has worked well in dropping the numbers of hack

attempts to my personal machine. there is a KB article outlining the 
basic premise and at 



Tom Perrine wrote:
> Anyone else see a significant rise in SSH dictionary attacks,
> from .KR?
> A friend at a local ISP (CA.US) reported this morning that they
> see 1-3 scans per day, but had 10 concurrent sweeps this morning with 
> more sources popping up at about 1 new per hour.  Most sources in
> and KR, IIRC.
> Another site (UK) reported a similar but not quite as aggressive set
> new sweeps, all theirs from .KR IP space.
> I'm not seeing it here.
> What's the consensus?  Isolated or major ramp-up?
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog

John Ives                                           Phone (510) 642-7773
System & Network Security			     Cell (510) 229-8676
University of California, Berkeley

unisog mailing list
unisog at lists.dshield.org

More information about the unisog mailing list