[154217] in North American Network Operators' Group
Constant low-level attack
daemon@ATHENA.MIT.EDU (Lou Katz)
Thu Jun 28 16:32:57 2012
Date: Thu, 28 Jun 2012 13:31:56 -0700
From: Lou Katz <lou@metron.com>
To: NANOG <nanog@nanog.org>
Mail-Followup-To: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
The other day, I looked carefully at my auth.log (Xubuntu 11.04) and discovered many lines
of the form:
Jun 28 13:13:54 localhost sshd[12654]: Bad protocol version identification '\200F\001\003\001' from 94.252.177.159
In the past day, I have recorded about 20,000 unique IP addresses used for this type of probe.
I doubt if this is a surprise to anyone - my question is twofold:
1. Does anyone want this evergrowing list of, I assume, compromised machines?
2. Is there anything useful to do with this info other than put the IP addresses into a firewall reject table? I have done
that and do see a certain amount of repeat hits.
-=[L]=-
--
