2010-08-10
Interesting patterns in the security log ...
Interesting patterns in the security logs again:Aug 10 00:19:42 greenblatt sshd[22045]: Bad protocol version identification '\200b\001\003\001' from 207.70.60.20 Aug 10 00:19:43 greenblatt sshd[22071]: Bad protocol version identification '\200b\001\003\001' from 209.19.175.124 Aug 10 00:19:44 greenblatt sshd[22072]: Bad protocol version identification '\200b\001\003\001' from 207.70.47.249 Aug 10 00:19:45 greenblatt sshd[22073]: Bad protocol version identification '\200b\001\003\001' from 207.70.41.212 Aug 10 00:19:45 greenblatt sshd[22074]: Bad protocol version identification '\200b\001\003\001' from 207.70.39.65 Aug 10 00:19:46 greenblatt sshd[22075]: Bad protocol version identification '\200b\001\003\001' from 69.5.238.171 Aug 10 00:19:47 greenblatt sshd[22076]: Bad protocol version identification '\200b\001\003\001' from 206.206.50.92 Aug 10 00:19:48 greenblatt sshd[22078]: Bad protocol version identification '\200b\001\003\001' from 207.70.3.141Notice the timing. Makes me wonder what is going on.
Update: On twitter by @xs4cso:Major rise in SSH brute force attacks and complaints overnight. Weak passwords to blame.source
Update: Whois gives an interesting link between most of those IPs: they are all (but one) in network space owned by solution pro web hosting.