[unisog] step up in SSH scanning starting today?

John Ives jives at security.berkeley.edu
Wed May 14 16:08:01 GMT 2008

Nagel, Lonnie wrote:
> John,
> I would like to use your list as the basis for an ACL in my PIX (if it's
> OK with you).  Not quite sure what to make of your 'last seen' column.
> Can the digits be converted to some type of date/time stamp or similar?
The last seen column is the last time an attacker was seen from that 
host in UNIX epoch time (http://en.wikipedia.org/wiki/Unix_time).

While I like the idea of people using the this concept as the basis for 
building firewall rules, in fact that is what it was designed for, I 
can't say that it will do you much good.  This list is a list of IPs 
attacking my campus and may be different that the IPs attacking your 
campus.  Unless your IP space is reasonably close to ours, which it 
doesn't look like it is, you might never see these attackers, and your 
even less likely if the attacks are targeted. I would start out by first 
determining if there is enough overlap to make it worth pursuing 
further.  I would do this by comparing the IP addresses on my list to 
your PIX logs and see if there is any significant overlap.  If there is, 
then feel free to use our list to your hearts content, but if there 
isn't then you might just be adding load to your firewall without any 
payoff.  If you have an IDS solution in place that can detect scanners, 
I can give you the backend code I have written for producing that list.  
This would give you a localized version of our list.



> -----Original Message-----
> From: unisog-bounces at lists.dshield.org
> [mailto:unisog-bounces at lists.dshield.org] On Behalf Of John Ives
> Sent: Monday, May 12, 2008 6:51 PM
> To: UNIversity Security Operations Group
> Subject: Re: [unisog] step up in SSH scanning starting today?
> In the last two weeks we have had 666 (not joking about the number) IP 
> addresses invloved in SSH or FTP bruteforce attacks, with less than 20 
> of those IP addresses being FTP.  We keep and publish a running list of 
> IP addresses along with the last time they were seen attacking the 
> campus.  The IPs are derived from both IDS sensors and honeypots and 
> uses OSSEC to create a backend list of IP addresses.  While my coding is
> not the most elegant, it has worked well in dropping the numbers of hack
> attempts to my personal machine. there is a KB article outlining the 
> basic premise and at 
> https://kb.berkeley.edu/jivekb/entry.jspa?externalID=2385&categoryID=48.

John Ives                                           Phone (510) 642-7773
System & Network Security			     Cell (510) 229-8676
University of California, Berkeley

More information about the unisog mailing list