Kris Tarr

I recently opened up SSH ports on one of my servers’ firewall. Since then, I see tons of attacks on my server and firewall logs. The attackers all seem to be bots hammering the ssh port on that server trying hundreds of user name and password combinations, so far unsuccessfully. I exported the list of source IP’s and ran an IP to country lookup on them which I’m going to post here for your convenience.

Why? Well, because if you a system administrator or webmaster responsible managing security on a server that is connected to the Internet 24/7, you could do what I did to prevent these bots doing the same to your server, by adding the IP addresses to your block list (black, disallow or whatever it’s called on your firewall). Now, my firewall is denying access from those IP addresses on any ports. I also changed the port for the SSH service from TCP/22 to something else. Though, this will not prevent human hackers finding out which port SSH is running on my server, it will prevent bots hammering the server with login attempts. I’m also working on a code, kind of an add-on to my firewall that will block IP’s automatically after detecting these kind of attacks in the future.

I bet most of administrator responsible for these IP’s have no idea that their servers got hacked and being used for attacking other servers. If you do your own searches using tools like domaintools.com and others, you will see that most of these IP’s are running DNS and Email servers.

Huhh, here is an idea: Maybe I should make a site to post these IP’s on and write about the type of attacks and user names and passwords tried, similarly to the email spammers site where I post spam emails getting caught by my email servers to help sys admins better protecting their servers against those spammers. (more…)