On Sun, 23 Mar 2008, Steve M. Fabac, Jr. wrote:

> Bill Vermillion wrote:
>> In article <47E6160C.7080405@att.net>,
>> Steve M. Fabac, Jr. <smfabac@att.net> wrote:
>> > I have a client running SCO 5.0.5 with OpenSSH 3.4p1
>> > installed.
>>
>> > Since SSH was installed, we have been getting hits from
>> > people on the Internet scanning port 22.
>>
>> > Normally they give up and go away. However, I have noticed
>> > an unusual number of scans from foreign IP addresses using
>> > valid names on the system (the names below in the block for
>> > a single source IP are the *only* names logged from that
>> > IP):
>>
>> ....
>>
>> > Anybody have any ideas, thoughts or comments on this?
>>
>> I've seen as high as 10,000 such attemts per day - but these are
>> on mail and web servers directly connected to a tier 1 backbone
>> [level 3] in their Orlando colo. They actually switch [not route]
>> connections across the US so I can see 1 hop from Orlando to
>> Seattle - that's one reason they carry about 60% of the 'net
>> traffic.
>>
>> But as Nico said in his reply to you, you really shouldn't put SCO
>> on a directly connected internet.
>
> Bill,
>
> I neglected to indicate that the machine is behind a firewall and port
> 22 is forwarded from the public IP address to the LAN IP address of
> the box.

Using Netfilter/Iptables under Linux, it is easy to limit the rate at
which new connections are made to the SSH server, while leaving existing
connections unaffected. This is very powerful against dictionary attacks,
which have been going on against SSH servers for 3-4 years now.

I believe that the *BSD OSes have similar capabilities.

You are using a recent version of OpenSSH, but are you using a version of
OpenSSL? There have been vulnerabilities in OpenSSL in recent the past.