[154219] in North American Network Operators' Group
Re: Constant low-level attack
daemon@ATHENA.MIT.EDU (TR Shaw)
Thu Jun 28 17:53:23 2012
From: TR Shaw <tshaw@oitc.com>
In-Reply-To: <20120628203156.GA29870@metron.com>
Date: Thu, 28 Jun 2012 17:52:36 -0400
To: Lou Katz <lou@metron.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jun 28, 2012, at 4:31 PM, Lou Katz wrote:
> The other day, I looked carefully at my auth.log (Xubuntu 11.04) and =
discovered many lines
> of the form:
>=20
> Jun 28 13:13:54 localhost sshd[12654]: Bad protocol version =
identification '\200F\001\003\001' from 94.252.177.159
>=20
> In the past day, I have recorded about 20,000 unique IP addresses used =
for this type of probe.
> I doubt if this is a surprise to anyone - my question is twofold:
>=20
> 1. Does anyone want this evergrowing list of, I assume, compromised =
machines?
> 2. Is there anything useful to do with this info other than put the IP =
addresses into a firewall reject table? I have done
> that and do see a certain amount of repeat hits.
Just a note that if you were running fail2ban.org you would get =
automatic updates of your firewall and share the IPs with the community =
and get the advantage of the communities detections as well.
