SSH Scanning
November 16, 2007
Anyone else noticing a lot of SSH scanning going on?
There just seems to be a whole bunch more lately, with most of it happening overnight. That is, 9pm – 3am EDT, 12am – 7am EDT, etc.
Now that I finally got DenyHosts working properly things seem to be a bit better. (I’d stupidly bolted on to a default hosts.allow which had an ALL : ALL : allow up near the top in the comments, which I didn’t read.)
I’m up to 650-some blocked hosts, and I’m fairly sure there will be another 10 or so today.
Yeah I see them knocking. They hopefully won’t be able to guess my DSA key, and the one user account that’s available has a randomly generated string of numbers and letters.
I have lots of user accounts, but thankfully none of them are common words / names, nor are they really ever tried.
That sort of stuff is fun.
I’m actually seeing noticeable traffic overnight from the scanning alone. It’s amazing.
I’ve turned off all outgoing connections on the router and disabled all ports on the servers, so hopefully that will keep them at bay. I got hacked a while back over a ftp server vulnerability and it was only because I was on dialup (and a machine without a compiler) which saved me from having the box rooted. Little beggars. Nothing better to do with their time (such as write some software or teach others some computing skills) eh?
They are providing you with free security audits. :)
I actually can’t just turn things off, because this box has to sit on the public internet and offer up date.
Obviously, I need to pay better attention to this sort of stuff. Thanks for sounding the horn on this one, I’ve just picked up a Pix 501 to ditch my Linksys/Vonage device (I’m dumping Vonage anyways). I was looking for a reason, and this is it. :)
It doesn’t really matter unless you have something listening on those ports, anyway. I’d imagine this doesn’t really affect most home users.
The problem I have is that I’ve got a server sitting on a very high bandwidth link, and that server needs to have ssh available so I can actually do stuffs with it.
Our Linux box is listening on there. I’ve got a small scale network going on. It’s not much but I do administration from it, sometimes SFTPing something from the office to home.
I’m also forging ahead to go for my CCNP, so this was the next logical step anyways. I can use the refresher.
Check out DenyHosts. When you implement it right (which I didn’t at first) it’s pretty nice.
I’ll do that. :) Thank you for the heads up. I’ve only been toying around with Linux since about February 22nd, the day I ran over some Indian ladies Grand Marquis.
It was bound to happen.