From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1L8N2G-0005EY-CV for garchives@archives.gentoo.org; Thu, 04 Dec 2008 22:51:05 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 4501AE03E5; Thu, 4 Dec 2008 22:51:02 +0000 (UTC) Received: from mail1.optus.com.au (mail1.optus.com.au [203.13.126.129]) by pigeon.gentoo.org (Postfix) with ESMTP id EB5C2E03E5 for ; Thu, 4 Dec 2008 22:51:01 +0000 (UTC) Received: from mail1.optus.com.au (unknown [127.0.0.1]) by IMSA (Postfix) with ESMTP id 5AD4320F06B; Fri, 5 Dec 2008 09:50:59 +1100 (EST) Received: from chow2ke002.optus.com.au (unknown [161.43.32.103]) by mail1.optus.com.au (Postfix) with ESMTP id 4A77920F069; Fri, 5 Dec 2008 09:50:59 +1100 (EST) Received: from excprdhubw001.optus.com.au ([10.8.36.36]) by chow2ke002.optus.com.au with Microsoft SMTPSVC(6.0.3790.3959); Fri, 5 Dec 2008 09:50:58 +1100 Received: from excprdmbxw002.optus.com.au ([10.8.36.30]) by excprdhubw001.optus.com.au ([10.8.36.36]) with mapi; Fri, 5 Dec 2008 09:50:58 +1100 From: Adam Carter To: "gentoo-user@lists.gentoo.org" Date: Fri, 5 Dec 2008 09:53:59 +1100 Subject: RE: [gentoo-user] Curious pattern in log files from ssh... Thread-Topic: [gentoo-user] Curious pattern in log files from ssh... Thread-Index: AclWAwjqHXrt3hxBSWST9jc5y9ITAwAXKs+wAADHRZA= Message-ID: <5602B0BD6D59AE4791BE83104940118D3C05D826@excprdmbxw002.optus.com.au> In-Reply-To: <5602B0BD6D59AE4791BE83104940118D3C05D80D@excprdmbxw002.optus.com.au> Accept-Language: en-US, en-AU Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US, en-AU Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 X-OriginalArrivalTime: 04 Dec 2008 22:50:58.0996 (UTC) FILETIME=[C644EF40:01C95662] X-TM-AS-Product-Ver: IMSS-7.0.0.3091-5.5.0.1026-16320.002 X-TM-AS-User-Approved-Sender: No X-TM-AS-Result-Xfilter: Match text exemption rules:Yes X-Archives-Salt: 5c7c3b93-f1a5-40f1-b357-8c511feac2a0 X-Archives-Hash: 87c5f5981bc7b6dba27c78acb21271e2 > > Also take a note that there are no "known-compromised hosts" > > What about hosts listed in RBLs? > http://en.wikipedia.org/wiki/Comparison_of_DNS_blacklists. It > would be interesting to see if how much correlation there is > between ssh brute forcing bots and the contents of the various lists. Maybe http://wiki.duskglow.com/tiki-index.php?page=3DPacketbl "PacketBL is = a program that uses DNS blocklists to determine whether to accept or reject= packets" Used with dnsbl.ahbl.org "Aggregate zone, contains UCE/bulk email senders, = open proxies, open relays, trojaned/infected machines, comment/trackback sp= ammers" would be a good solution.