All my web servers, personal servers and everyone I know at home are getting hit with these atttemps. These scans are happening for months now. I'm almost willing to bet anyone who runs ssh `cat /var/log/messages | grep test` they will see many attempts from different IPs.

I suggest we all use key logins only and even run ssh on a alternate port if possible. Adding them to hosts.deny or blocking them via iptables in real time is even better.

I asked you once nicely not to spam the stickied threads. They are for informational purposes and filling them with random comments results in people not reading them and potentially missing important information, which I don't appreciate. If you feel the need to discuss this further, mail me off the list.

Geesh... I had one guy "scan" our servers over six THOUSAND times this weekend. What a PITA. I sent a complaint to his hosting company's abuse department... who knows if anything will come of it.

I've had good responses from network abuse teams working for different ISP's. Some even write back and thank you.

I'm used to cleaning out spam from my email but this shit is starting to get out of hand

Looks like the code has been updated to throw more passwords at a server

Look at how many hits I got from one idiot in one attack

failed logins from these:
Administrator/password from 216.189.163.85: 1 Time(s)
accounting/password from 216.189.163.85: 1 Time(s)
adm/password from 216.189.163.85: 1 Time(s)
admin/password from 216.189.163.85: 4 Time(s)
administrator/password from 216.189.163.85: 1 Time(s)
anon/password from 216.189.163.85: 1 Time(s)
apache/password from 216.189.163.85: 1 Time(s)
boss/password from 216.189.163.85: 1 Time(s)
checkfs/password from 216.189.163.85: 1 Time(s)
cisco/password from 216.189.163.85: 6 Time(s)
client/password from 216.189.163.85: 1 Time(s)
cvs/password from 216.189.163.85: 1 Time(s)
debug/password from 216.189.163.85: 1 Time(s)
dni/password from 216.189.163.85: 1 Time(s)
echo/password from 216.189.163.85: 1 Time(s)
fal/password from 216.189.163.85: 1 Time(s)
fax/password from 216.189.163.85: 1 Time(s)
ftp/password from 216.189.163.85: 1 Time(s)
games/password from 216.189.163.85: 1 Time(s)
gnats/password from 216.189.163.85: 1 Time(s)
gopher/password from 216.189.163.85: 1 Time(s)
guest/password from 216.189.163.85: 1 Time(s)
intel/password from 216.189.163.85: 1 Time(s)
kermit/password from 216.189.163.85: 1 Time(s)
login/password from 216.189.163.85: 1 Time(s)
lp/password from 216.189.163.85: 1 Time(s)
lynx/password from 216.189.163.85: 1 Time(s)
mail/password from 216.189.163.85: 1 Time(s)
man/password from 216.189.163.85: 1 Time(s)
manager/password from 216.189.163.85: 1 Time(s)
master/password from 216.189.163.85: 1 Time(s)
monitor/password from 216.189.163.85: 1 Time(s)
mysql/password from 216.189.163.85: 1 Time(s)
netscreen/password from 216.189.163.85: 1 Time(s)
news/password from 216.189.163.85: 1 Time(s)
nobody/password from 216.189.163.85: 1 Time(s)
operator/password from 216.189.163.85: 2 Time(s)
oracle/password from 216.189.163.85: 1 Time(s)
postgres/password from 216.189.163.85: 1 Time(s)
postmaster/password from 216.189.163.85: 1 Time(s)
qsvr/password from 216.189.163.85: 1 Time(s)
root/password from 216.189.163.85: 8 Time(s)
security/password from 216.189.163.85: 1 Time(s)
sync/password from 216.189.163.85: 1 Time(s)
sys/password from 216.189.163.85: 1 Time(s)
sysadmin/password from 216.189.163.85: 2 Time(s)
sysop/password from 216.189.163.85: 1 Time(s)
tech/password from 216.189.163.85: 1 Time(s)
test/password from 216.189.163.85: 6 Time(s)
user/password from 216.189.163.85: 1 Time(s)
uucp/password from 216.189.163.85: 1 Time(s)
www/password from 216.189.163.85: 1 Time(s)

I've been using my hosts.allow file to prevent some of the IPs from which I notice many attempts. Today my security email has informed me that a range of IPs, all starting with 207.158.8, have made many attempts. I'd like to block the entire range, which seems to go from 207.158.8.236 to 207.158.8.245. How would I modify the following code to block that entire range?

Also, I've done this for about 14 IPs so far. Is there any reasons that I should know about why not to approach the problem in this manner?

whois 207.158.8.236 will give you the CIDR range. Then you can add to your hosts.allow file.

I've been blocking these at the firewall. Any thoughts on if its better to block at the firewall vs. using a hosts.allow as mentioned here?

Also, does anyone have any tips for managing all of these IPs across multiple servers? Its getting to be a pain to add an IP to each of our servers every day.

Now exactly what IPs will this block? I basically want to block IPs in the range of 207.159.8.236 through 207.159.8.245 and nothing else from that range. Not 207.159.8.145, not 207.159.7.65.

That CIDR would block their entire network. I'd rather not mess with them in the future, but I suppose that's personal opinion.

Well, isn't it possible that there are lots of other people in that network that are not related to the offender in question?

I accidentally forgot to disable root login through SSH, so when I got back from my vacation one guy had been trying to login into my server with the root account for about 2weeks with a delay of a couple of seconds between each attempt.. scary

Yes, but its also possible there are more people on that network who will try the same thing. If my users start complaining, then I'll worry about it. You don't get much room for forgiveness with me when it comes to security.

Anywho, I think we're hijacking this thread.

If it has anything to do with dealing with these SSH attempts, additional observations or solutions, then feel free to post them here.

Alright, well it doesn't look like a whole lot of people are seeing this but I will pose the question anyway.

Q: What is your decision making process in blocking IP addresses?

Personally, I will not block an IP for simply one set of (unsuccesful) attempts on my site. If there are more than 10 attempts in a row, or attempts over a few days, then I will block that IP. If the IP is located in Taiwan or China, I'll block it right then and there b/c we basically sell no product there.

I'm a bit paranoid about blocking IPs, because I don't want to lose potential sales.

You can always just restrict those IP ranges from ssh access and leave potentially legitimate services (web,mail,etc) open. Obviously if you do some kind of outright blacklist you'll reduce these attempts overall, but consequently you're more likely to block legitimate traffic as well. If that's the route you take, it will really come down to a trade off of whether you can afford to block IP ranges in exchange for security (which is only something you can decide). Honestly, spending your effort hardening your system and maintaining security will be a better payoff than worrying about the best way to implement your blacklist. Then you can just ban the occasional determined repeat offender without much consideration.