[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Constant low-level attack

Subject: Constant low-level attack
From: denys at visp.net.lb (Denys Fedoryshchenko)
Date: Fri, 29 Jun 2012 00:53:56 +0300
In-reply-to: <[email protected]>
References: <[email protected]>

On 2012-06-28 23:31, Lou Katz wrote:
> The other day, I looked carefully at my auth.log (Xubuntu 11.04) and
> discovered many lines
> of the form:
>
>       Jun 28 13:13:54 localhost sshd[12654]: Bad protocol version
> identification '\200F\001\003\001' from 94.252.177.159
>
> In the past day, I have recorded about 20,000 unique IP addresses
> used for this type of probe.
> I doubt if this is a surprise to anyone - my question is twofold:
>
> 1. Does anyone want this evergrowing list of, I assume, compromised 
> machines?
> 2. Is there anything useful to do with this info other than put the
> IP addresses into a firewall reject table? I have done
>    that and do see a certain amount of repeat hits.
>
> -=[L]=-
You can use fail2ban to block bruteforcing hosts automatically and even 
report to your mail their whois info
http://www.fail2ban.org/

---
Denys Fedoryshchenko, Network Engineer, Virtual ISP S.A.L.

References:
- Constant low-level attack
  - From: lou at metron.com (Lou Katz)

Prev by Date: Constant low-level attack
Next by Date: technical contact at ATT Wireless
Previous by thread: Constant low-level attack
Next by thread: Constant low-level attack
Index(es):
- Date
- Thread