On Wed, May 6, 2009 at 15:50, Rich Shepard <[email protected]> wrote: > On Wed, 6 May 2009, chris (fool) mccraw wrote: > >> i rolled this out after i got tired of playing whack-a-mole and to my >> delight discovered that no scanner in the past 8 months (since i rolled it >> out) continues to scan more than a handful of times after the connection >> is refused. > > On the advice of many, I installed denyhosts here and it works like a > charm. However, I still see dozens to hundreds of attempts from the same IP > address to ssh in and even more trying brute force attacks to find a valid > username.
interesting! i get scanned several times a day and have yet to see one that keeps going after a few "connection refused"s. i figured there were no more than a couple of types of scanners (seemed likely there are at least that many--one tries a lot of passwords per connection and one only tries one; one cycles through a list of account names from a-z and another just tries root@ a lot, etc). the most infuriating for me now are some occasional "distributed" scans--no more than one connection attempt per IP, runs at a trickle-flow instead of mass-blast. those foil denyhosts like a slow knife foils a shield from Herbert's _Dune_. they worry me a lot more because it seems like an extra level of sophistication to have your botnet scan me! if only i could get denyhosts to parse proftpd logs. because those scans still carry on for hours unless i happen to flip past the syslog window while they're in progress. _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
