[plug] Recent increase in SSL probes

Brad Campbell brad at fnarfbargle.com
Tue Dec 16 03:20:10 UTC 2014

I use the recent match in iptables to limit each ip address to 3 
connections in 10 mins. This slows the logs down, but yeah it has been 
relentless for the last week or so. If I had 10 minutes to spare I'd set 
up a honeypot to see what they were doing. Last time I did that I 
configured a vm with an account backup:backup and it was compromised in 
a matter of hours.

On 16/12/14 11:17, Andrew Cooks wrote:
> Hi Brad
> Not sure what's going on, but I also noticed the probes on ssh. It was
> annoying enough that I moved ssh to a different port - not so much for
> security, but to stop the constant trickle of spam in my logs and waste
> of my ridiculously low dsl bandwidth.
> a.
> On Tue, Dec 16, 2014 at 11:07 AM, Brad Campbell <brad at fnarfbargle.com
> <mailto:brad at fnarfbargle.com>> wrote:
>     G'day all,
>     In the last couple of days we've seen an exponential increase in
>     probes on ssh and new hits on imap. Notable because we've never seen
>     the hits on the imap server before :
>     dovecot: imap-login: Disconnected (no auth attempts in 0 secs):
>     user=<>, rip=, lip=, TLS handshaking:
>     SSL_accept() failed: error:140760FC:SSL
>     routines:SSL23_GET_CLIENT___HELLO:unknown protocol,
>     session=<K/n1XR0KQwBjONz/>
>     Anyone else know what is going on ?
>     _________________________________________________
>     PLUG discussion list: plug at plug.org.au <mailto:plug at plug.org.au>
>     http://lists.plug.org.au/__mailman/listinfo/plug
>     <http://lists.plug.org.au/mailman/listinfo/plug>
>     Committee e-mail: committee at plug.org.au <mailto:committee at plug.org.au>
>     PLUG Membership: http://www.plug.org.au/__membership
>     <http://www.plug.org.au/membership>

More information about the plug mailing list