SSH scans from 188.95.234.6
We received the following earlier today regarding scans to SSH from this IP address which is a research group in Germany. As far as we are aware it is legitimate research and the scans have been conducted previously. So if you see scans from this IP address, this is what it is about. I'll leave whether you wish to block it or take advantage of their blocklist, up to you.
I've asked a few clarifing questions, but have not yet received an answer. I was curious about the "not Loggin in", but sending a username (and presumably a password) as I've identified the IP address on a number of fail2ban logs, so multiple password attempts.
As one of the handlers mentioned, migh be ok in your area, but in many places it might still be seen as an intrusion. I guess to me it is similar to anyone else doing the same for whatever reason, but that does mean you get treated the same, i.e. blocked after x attempts. In this case for me, a firm "thanks for the note I'll block it now". Our DB will no doubt show it as an attacking IP as log files start coming in. There is a note on the IP address from previous scans, so those that use the data can make their own choice.
If you have SSH open you may want to look at something like fail2ban or other similiar tools and it will take care of scans from here the same as scans from anywhere else. In the mean time if you see the IP address your incident response time to investigate may be shorter for reading the below message.
Cheers
Mark.
Dear colleagues,
Our team at the Network Architectures and Services Dept. (I8) of TU
München, Germany, has started an IPv4-wide SSH scan. This is the same
kind of scan that we have conducted several times over the past few
months. Once again, the purpose is purely scientific.
The scanning machine is 188.95.234.6.
It is not infected, nor is an attack intended (we do *not attempt to
login*, in fact we send the most harmless username ever). However, this
is a large-scale scan, which we expect to last up to 10 days. The
long-term goal are continuous scans.
We are perfectly aware that many IDS systems will count this as
an attack. We are thus writing in order to inform you of our activity.
If there is anything you can do - adding us to a whitelist, adding a
comment in your DB etc. - we would very much appreciate your help.
Please note that we respond to every complaint and are happy to
blocklist systems with annoyed admins.
Background information can be found here:
29C3 Lightning Talk, from minute 9:
http://www.youtube.com/watch?
http://www.net.in.tum.de/
Comments
hcbhatt
Apr 2nd 2013
1 decade ago
Speaking of posing as a research team, I still get "GET /w00tw00t.isc.sans.dfind :)" probes from people.
joeblow
Apr 2nd 2013
1 decade ago
DHC
Apr 2nd 2013
1 decade ago
I don't care who the scanner is. Scans are not socially acceptable Internet behavior.
Shane
Apr 2nd 2013
1 decade ago
Auto-Blocking stuff is nice, but IMO, it's much easier not to allow them access from the beginning.
General Zod
Apr 2nd 2013
1 decade ago
In my network, for example, I block someone that I see doing a portscan, or other scanning activity because I think they may then escalate things into other attacks, such as web application exploits. Or at the very least, it may keep them from finding an actual vulnerability in some other service that I allow.
Once the IP of the scanner is added to my blacklist they will not be able to even get to legitimate services that I offer to the general public, like my email and web apps.
Anthus
Apr 3rd 2013
1 decade ago
[me@1 log]$ grep 188\.95\.234\.6 *
kippo.log.315:2012-09-09 17:46:55+0000 [kippo.core.honeypot.HoneyPotSSHFactory]
New connection: 188.95.234.6:44440 (sanitized:22) [session: 7]
kippo.log.315:2012-09-09 17:46:55+0000 [HoneyPotTransport,7,188.95.234.6] Remote SSH version: SSH-2.0-OpenSSH_6.1 This is a routine measurement by the TU Munich
. See: http://bozen.net.in.tum.de
kippo.log.315:2012-09-09 17:46:55+0000 [HoneyPotTransport,7,188.95.234.6] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa
kippo.log.315:2012-09-09 17:46:55+0000 [HoneyPotTransport,7,188.95.234.6] outgoing: aes128-ctr hmac-md5 none
kippo.log.315:2012-09-09 17:46:55+0000 [HoneyPotTransport,7,188.95.234.6] incoming: aes128-ctr hmac-md5 none
kippo.log.315:2012-09-09 17:46:56+0000 [HoneyPotTransport,7,188.95.234.6] NEW KEYS
kippo.log.315:2012-09-09 17:46:56+0000 [HoneyPotTransport,7,188.95.234.6] starting service ssh-userauth
kippo.log.315:2012-09-09 17:46:56+0000 [SSHService ssh-userauth on HoneyPotTransport,7,188.95.234.6] root trying auth none
kippo.log.315:2012-09-09 17:46:56+0000 [HoneyPotTransport,7,188.95.234.6] connection lost
nekton
Apr 5th 2013
1 decade ago
Please also note that we use a non-existing authentication method, and do thus never send a password. There is no way we could get access to your systems. The only reason we send that authentication method is that we need to complete the handshake to find out which cipher has been chosen.
Concerning whether such scans are legit, I would like copy from a mail I have written to a SANS member:
We are a network measurement group. We do believe that active scans must be an integral part in understanding and improving the infrastructure of the Internet. In the end, everyone benefits from that (BTW, there is even an RFC on scanning for measurement purposes). As an example of how improvement is possible, I would like to point out our paper (but also the work of the EFF and others) that documents how poorly SSL/X.509 is deployed:
http://www.net.in.tum.de/fileadmin/bibtex/publications/papers/imc-pkicrawl-2.pdf
We hope to document SSH in a similar way. And frankly, from what we can see in our scans, there are a few oddities that need documentation.
We believe that we can contribute to overall security with our scans. If you feel inconvenienced by them, please accept our apologies.
Ralph
Apr 5th 2013
1 decade ago
Ralph
Apr 5th 2013
1 decade ago
Ralph
Apr 5th 2013
1 decade ago