log entry question on sshd

[Darrell Shandrow]

Hi Raul,

You could access the ARIN (American Registry of Internet Numbers) web site 
at http://www.arin.net to find out the provider who has registered the IP 
address in question, and contact that provider.  I have certainly dealt 
with those sorts of security inqueries at work on a number of occasions.


At 09:11 AM 1/23/2002 -0600, you wrote:
>Darrell Shandrow said the following on Tue, Jan 22, 2002 at 08:43:41PM -0700:
> > Hi Raul,
> >
> > Hmmm, looks like a rather persistent port scan, in my estimation.
> >
> > At 11:04 PM 1/20/2002 -0600, you wrote:
> > >Hey gang.  I received this log entry and am not sure if it's a portscan
> > >of some type or not.  Anyone seen this before?
> > >
> > >Jan 20 19:23:25 saidin sshd[4209]: scanned from 195.178.168.129 with
> > >+SSH-1.0-SSH_Version_Mapper.  Don't panic.
> > >Jan 20 19:24:47 saidin sshd[4216]: scanned from 195.178.168.129 with
> > >+SSH-1.0-SSH_Version_Mapper.  Don't panic.
> > >Jan 20 19:26:00 saidin sshd[4220]: scanned from 195.178.168.129 with
> > >+SSH-1.0-SSH_Version_Mapper.  Don't panic.
>
>
>I thought so at first but usually portscans will scan more ports than
>ssh.  Besides I'm not worried about anyone breaking in via ssh.  My ssh
>is secure and does not allow root to ssh in anyway.  I also didn't see
>any other portscans on any other ports.  What it seems to me is that
>they were trying to use ssh1 to connect on ssh2 or something but who
>knows.  It has not happened since so I am not worried.
>
>--
>We are writing this e-mail to inform you that the mail server is down.
>Please do not call the help desk for assistance.  To see the progress of
>any outage refer to your e-mail notifications.
>Raul A. Gallegos - http://www.asmodean.net
>
>_______________________________________________
>Speakup mailing list
>Speakup at braille.uwo.ca
>http://speech.braille.uwo.ca/mailman/listinfo/speakup

Best regards and happy New Year,
Darrell
Access technology consulting / network and UNIX         systems administration.