Re: ssh scans

To: David Wetzel <dave%turbocat.de@localhost>
Subject: Re: ssh scans
From: Neal Hogan <nealhogan%gmail.com@localhost>
Date: Mon, 26 Oct 2009 15:22:05 -0500

On Mon, Oct 26, 2009 at 2:42 PM, David Wetzel <dave%turbocat.de@localhost> 
wrote:
> Hi,
>
> I am seeing a lot of ssh scans and I am wondering if somebody has a solution
> like adding the bad hosts temporary to pf.conf or so?

Check out pf.conf's man page . . . specifically, the "Stateful
Tracking Options" section. You can populate a table of "bad" addresses
in terms of connection rate (as well as for other things).

>
>
> see for yourself:
>
> cat /var/log/authlog | grep -i failed | grep user | sed "s/.*from\ //g" |
> sed "s/ port .*//g" | sort | uniq -c
>
> David
>
>

References:
- ssh scans
  - From: David Wetzel

Prev by Date: Re: ssh scans
Next by Date: Re: ssh scans
Previous by Thread: Re: ssh scans
Next by Thread: Re: ssh scans
Indexes:

Home | Main Index | Thread Index | Old Index