Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

SSH scans from 188.95.234.6

Published: 2013-04-02
Last Updated: 2013-04-02 13:16:28 UTC
by Mark Hofman (Version: 2)
16 comment(s)

We received the following earlier today regarding scans to SSH from this IP address which is a research group in Germany.  As far as we are aware it is legitimate research and the scans have been conducted previously.   So if you see scans from this IP address, this is what it is about. I'll leave whether you wish to block it or take advantage of their blacklist, up to you.  

I've asked a few clarifing questions, but have not yet received an answer.  I was curious about the "not Loggin in", but sending a username (and presumably a password) as I've identified the IP address on a number of fail2ban logs, so multiple password attempts. 

As one of the handlers mentioned, migh be ok in your area, but in many places it might still be seen as an intrusion.  I guess to me it is similar to anyone else doing the same for whatever reason, but that does mean you get treated the same, i.e. blocked after x attempts. In this case for me, a firm "thanks for the note I'll block it now".  Our DB will no doubt show it as an attacking IP as log files start coming in.  There is a note on the IP address from previous scans, so those that use the data can make their own choice. 

If you have SSH open you may want to look at something like fail2ban or other similiar tools and it will take care of scans from here the same as scans from anywhere else. In the mean time if you see the IP address your incident response time to investigate may be shorter for reading the below message.

Cheers

Mark.  

Dear colleagues,

Our team at the Network Architectures and Services Dept. (I8) of TU
München, Germany, has started an IPv4-wide SSH scan. This is the same
kind of scan that we have conducted several times over the past few
months. Once again, the purpose is purely scientific.

The scanning machine is 188.95.234.6.

It is not infected, nor is an attack intended (we do *not attempt to
login*, in fact we send the most harmless username ever). However, this
is a large-scale scan, which we expect to last up to 10 days. The
long-term goal are continuous scans.

We are perfectly aware that many IDS systems will count this as
an attack. We are thus writing in order to inform you of our activity.
If there is anything you can do - adding us to a whitelist, adding a
comment in your DB etc. - we would very much appreciate your help.

Please note that we respond to every complaint and are happy to
blacklist systems with annoyed admins.

Background information can be found here:

29C3 Lightning Talk, from minute 9:
http://www.youtube.com/watch?
v=eao8yBKHYT8

Crossbear-Paper:
http://www.net.in.tum.de/
fileadmin/bibtex/publications/papers/holz_x509forensics_esorics2012.pdf

Project homepage: https://pki.net.in.tum.de

Keywords:
16 comment(s)
Diary Archives