sshbl.org - (the SSH blacklist)
The SSH blacklist, updated every 5 minutes, contains IP addresses of hosts which tried to bruteforce into any of currently 11 hosts (all running OpenBSD, FreeBSD or Linux) using the SSH protocol. The hosts are located in Germany, the United States, Australia, France and setup to report and log those attempts to a central database. Very similar to all the spam blacklists out there.
****************************************** If you are running some kind of virtualization technology that lets you run virtual (Free|Open)BSD (prefered) or Linux hosts, got some spare ressources, money or even a dedicated server, you could donate, do not hesitate to use the email address below. All that is needed is approx. >=128 MB RAM, some swap, >=1024 MB HDD space and, of cause, at least one external IP. Multiple different IPs or small subnets increase the detection rate dramaticaly. PayPal Donations are also accepted:
******************************************
For every logged attack an email is sent out to the contacts listed in the whois information of the attacking host, only a few minutes after the attack started. It is our hope that the responsible administrators use that information to quickly clean and secure the misused machines.
News
(taken from Twitter)
(taken from Twitter)
There will be a service outage tonight between approx. 2300 and 0500 CET, because the main server will be moved physically to a new location
We just counted over 6000 attacks with ~4000 unique IPs.
Sorry folks. The list will now be updated again. My new born son kept my occupied and I didn't notice the cronjob wasn't running until now.
One host is currently under distributed SSH bruteforce attack by a botnet. A manually gathered IP list: http://www.sshbl.org/lists/ddos.txt
We now also support Linux based hosts to detect attacks. Host donations to improve our service are always very welcome!
Statistics show that 30% (value corrected) of all SSH bruteforce attacks originate from China
You can now also SSL encrypt the traffic using the following link: https://ssl.bsdhost.eu/proxy/sshbl.org/
We now have a REAL statistics page with more description. http://www.sshbl.org/statistics.html
Old News
We can now also be found at http://twitter.com/sshblorg/.
Exactly one month since the last update. We noticed that some people would rather have a ready-to-use hosts.deny file instead of having to convert it first, so here it is. Users of PF can keep using the plain base.txt or base_30days.txt file directly in PF. Here is a small pf.conf example.
Due to a bug in the data processing script and OpenBSD's pfctl on one of the most active machines 179 old entries were marked as new. The 179 updates were removed from the database but emails were already sent out. The workaround is now to ignore dates reported from pfctl that are from the future. ;-) Sorry for the inconvenience!
The site is now fully reachable using IPv6 too. The list will remain IPv4 only for now though. If you experience any issues with IPv6 regarding this site, please contact us.
Due to a database error some notification emails were sent out several times. The problem is fixed and will never happen again. We are sorry for the inconvenience.
We now send out automatically generated emails to the WHOIS contacts, reporting logged attacks so that the network/host owners can take action to prevent further abuse. So, if one of those emails brought you here AND you fixed the issue AND want to get the IP removed from the list, click the delisting link above.
There now also is a list which includes only those IPs that got logged during the last 30 days. Keep checking the lists/ directory for other list variants. If you need some special format of the list or would love to see certain statistics, feel free to ask.
The first set of statistics is available. More will follow.
Contact: support{AT}sshbl{D0T}org
Supported by:
