Re: ssh scans

To: David Wetzel <dave%turbocat.de@localhost>
Subject: Re: ssh scans
From: Andy Ruhl <acruhl%gmail.com@localhost>
Date: Mon, 26 Oct 2009 12:46:20 -0700

On Mon, Oct 26, 2009 at 12:42 PM, David Wetzel <dave%turbocat.de@localhost> 
wrote:
> I am seeing a lot of ssh scans and I am wondering if somebody has a solution
> like adding the bad hosts temporary to pf.conf or so?
>
>
> see for yourself:
>
> cat /var/log/authlog | grep -i failed | grep user | sed "s/.*from\ //g" |
> sed "s/ port .*//g" | sort | uniq -c

Whenever you say something like this, you should always include:

And this is why I can't just change the port to some other port number:

Because that eliminates about 99.9% of this problem. Dealing with the
other .1% is still probably worthwhile, though.

Andy

References:
- ssh scans
  - From: David Wetzel

Prev by Date: ssh scans
Next by Date: Re: ssh scans
Previous by Thread: ssh scans
Next by Thread: Re: ssh scans
Indexes:

Home | Main Index | Thread Index | Old Index