I'm always curious what is scanning my honeypot but I was particularly interested what kind of client applications are used to attempt to login via SSH into that service. This graph shows the activity for the past week, including 500+ attempts for a period of 8 hours on the 31 Dec which when pretty much flat from 31 Dec 1200Z to 1 Jan 2018 1200Z while everyone celebrated New Year.
[1] https://www.lag.net/paramiko/ ----------- |
Guy 522 Posts ISC Handler Jan 7th 2018 |
Thread locked Subscribe |
Jan 7th 2018 4 years ago |
I got tired of the high amount of oddball clients hitting my servers, so I started blocking them with iptables
iptables -A BLOCKME -p tcp --dport ssh -m string --string "SSH-2.0-libssh" --algo bm -j SET --add-set filter-tempblock src Other clients include "SSH-2.0-sshlib" "SSH-2.0-ZGrab" "SSH-2.0-Go" "SSH-2.0-ssh2js" "SSH-2.0-Ganymed" "SSH-2.0-JSCH" "SSH-2.0-Granados" "SSH-2.0-OpenSSH_6.7p1 Raspbian" "SSH-2.0-paramiko" |
Anonymous |
Quote |
Jan 8th 2018 4 years ago |
Sign Up for Free or Log In to start participating in the conversation!