Oracle system on shame list [Update]
Server monitoring tool DenyHosts has shown that an Oracle system (emea-netcache1.oracle.co.uk) is among the 10 worst sources of attacks on servers which run SSH server software. The "Most Often Denied Hosts" statistics show that for 70 days attempts have been made from this system (or systems) to log into the SSH accounts of other servers. Reports in the British media say that Oracle has been informed of this problem. While it is not clear whether the system has been abused by hackers, Oracle is investigating the case.
DenyHosts is a tool written in Python, designed to evaluate and prepare SSH daemon log files to help administrators track which systems are used how often to gain unauthorised access to which accounts. If the number of attempted attacks reaches a certain threshold value, the script simply locks the system with an entry in /etc/hosts.deny. The data can be loaded into the statistics server of the DenyHosts project. A similar tool fail2ban also works with log files but, unlike DenyHosts, uses iptables rules to block further access.
At present, the Oracle system is denied access by 9797 computers that have installed the DenyHosts tool. A system in China, which has been active for 220 days, is blocked by 11365 servers, and a computer registered in the net block of web hosting provider Webperoni is on top of the list, with 11391 servers denying access from this system.
The DenyHosts statistics have been updated, and the Oracle and Webperoni systems are not listed on the shame list any more. It seems that an incorrectly configured server, which sent its information to the statistics server repeatedly, has caused the enormously high number of counts.
- DenyHosts - Summary of Activity, DenyHosts statistics