Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: ISC Feature of the Week: SSH Scan Reports - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
ISC Feature of the Week: SSH Scan Reports

Overview
Our feature this week introduces Dr. Ullrich's newest system addition addressing wide spread reports of SSH scans. This system collects logs you submit via a special API URL. We keep receiving reports from readers about wide spread ssh scans. This system was setup to get a better handle on these scans. http://isc.sans.edu/sshreports.html Reporting will be released as soon as there is enough information collected.

Features

  • Reports are "POST"ed to https://isc.sans.edu/api/sshreports
  • Parameters are userid, authkey, data(tab-delimited log data)
  • XML status OK returned on successful submission
    • This only accepts data. Validation and processing are done at a later time


There is currently a PERL script to collect data from the "kippo" honeypot available at https://isc.sans.edu/kipposcript.pl

Post suggestions or comments in the section below or send us any questions or comments in the contact form on https://isc.sans.edu/contact.html#contact-form
--
Adam Swanger, Web Developer (GWEB, GWAPT)
Internet Storm Center https://isc.sans.edu

AdamS

86 Posts
I see a lot of attempts against my SSH server. Very thankful for fail2ban http://en.wikipedia.org/wiki/Fail2ban
I have it configured for 1 try and 10 minute ban.
PaulOutBox

7 Posts
fail2ban already has a dshield "action" that can be used to report scans. Please enable it (see the dshield.conf file that comes with fail2ban for details). With fail2ban, you don't get passwords, but you still get the source IP that is reported to Dshield as a "port 22 portscan").
Johannes

3558 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!