From owner-freebsd-security@FreeBSD.ORG  Tue Dec  1 20:28:23 2009
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 52AF0106566B
	for <freebsd-security@freebsd.org>;
	Tue,  1 Dec 2009 20:28:23 +0000 (UTC) (envelope-from cswiger@mac.com)
Received: from asmtpout028.mac.com (asmtpout028.mac.com [17.148.16.103])
	by mx1.freebsd.org (Postfix) with ESMTP id 3D93C8FC0A
	for <freebsd-security@freebsd.org>;
	Tue,  1 Dec 2009 20:28:23 +0000 (UTC)
MIME-version: 1.0
Content-transfer-encoding: 7BIT
Content-type: text/plain; charset=us-ascii
Received: from cswiger1.apple.com ([17.227.140.124])
	by asmtp028.mac.com (Sun Java(tm) System Messaging Server 6.3-8.01
	(built Dec
	16 2008; 32bit)) with ESMTPSA id <0KTZ00JWDNEVRU50@asmtp028.mac.com> for
	freebsd-security@freebsd.org; Tue, 01 Dec 2009 11:28:07 -0800 (PST)
From: Chuck Swiger <cswiger@mac.com>
In-reply-to: <200912011909.nB1J9JRM070879@lava.sentex.ca>
Date: Tue, 01 Dec 2009 11:28:06 -0800
Message-id: <2C416146-FE6E-42EC-8FA5-434027BF38EE@mac.com>
References: <200912010120.nB11Kjm9087476@freefall.freebsd.org>
	<200912010522.WAA03022@lariat.net> <200912011724.KAA10851@lariat.net>
	<200912011909.nB1J9JRM070879@lava.sentex.ca>
To: Mike Tancsa <mike@sentex.net>
X-Mailer: Apple Mail (2.1077)
Cc: freebsd-security@freebsd.org
Subject: Re: Increase in SSH attacks as of announcement of rtld bug
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Dec 2009 20:28:23 -0000

Hi--

On Dec 1, 2009, at 11:09 AM, Mike Tancsa wrote:
> http://isc.sans.org/trends.html
> and
> http://isc.sans.org/port.html
> 
> Do not seem to show any increase.

I've checked, and the volume of attempts over the past few days seems pretty constant, although there was actually a decrease around Nov 26-29 corresponding to US Thanksgiving holiday.  :-)

I do use denyhosts with ~4000 IPs known to be actively scanning SSH blocked.  I do note an increasing number of malicious scans using "Client: libssh-0.1" string instead of legit connects with "Client: OpenSSH_5.2" or similar....

Regards,
-- 
-Chuck