Security Incidents: Re: Weird SSH attack last night and this morning (still ongoing)

[Robert Taylor <rjamestaylor () gmail com>]

It's extremely common to have these scans.

http://robotterror.com/site/wiki/mitigating_brute_force_password_attacks_with_pam_abl

That's a link to my blog. I'm a Linux System Admin at a major hosting  
company; this is something I see nightly. Usually, though, I see hits  
on the order of thousands per hour before I get worried.

On May 7, 2008, at 7:27 AM, Gary Baribault wrote:

> I don't know what is going on last night and this morning ... I have  
> three Linux servers facing the Internet, two on cable modems and  
> another on a static IP/commercial connection and this last one is a  
> gateway to a Web/FTP/SMTP/Pop3/NTP Linux based system.
> I have DenyHosts installed on all three and have blocked about 75  
> attempts ..  from known compromised adresses .. The log shows  
> (obviously) that there where even more attempts from adresses that  
> are unknown to DenyHosts but there was only one login attemps per  
> adress and it was with the Root account .. which is obviously  
> blocked in my sshd config ..
> Of the three machines, one of them only had about 10 attempts, but  
> the other two had about 200 attempts .. all of them with only 1 try  
> with the user Root ..
> Is any one else seing this? or am I being targeted? This is still  
> going on now .. and it started arround 10:00 last night GMT+4
> --
> Gary Baribault
> Courriel: gary () baribault net
> GPG Key: 0x4346F013
> GPG Fingerprint: BCE8 2E6B EB39 9B23 6904 1DF4 C4E6 2CF7 4346 F013