Hi, I don't think there is much to worry about these scans. Its more annoying than anything to have your logs full of brute force ssh attempts. One of my colleagues wrote and has had success with iptables rules to keep the log spam to a minimum.
The rules track ssh new ssh connections. If there have been 5 connections from a single host in the past 60 seconds then the connection is dropped. Theoretically a worm could wait and attempt connecting again, but they don't seem to. iptables -A INPUT -i $EXTERNAL -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name sshscans iptables -A INPUT -m recent --rcheck --seconds 60 --hitcount 5 --name sshscans --rsource -j DROP Alexandre H wrote: > Hi, > > I've witnessed what I think is an increase in SSH scans over the > Internet in the past four or five weeks. The scan seems to originate > from various countries around the globe which makes me think of it to be > a worm-like spreading virus searching for vulnerable systems running the > SSH service. I confirmed the attack with a friend of mine who also > happens to run a SSH server at home. We both live in Montreal, QC, > Canada and are using the same ISP. > -- Matt Rae Open Source Lab Oregon State University
signature.asc
Description: OpenPGP digital signature
