Anon E. Muss <anonymous@example.org> writes:

>I recently noticed excessive acitivity on my router's activity LED and
>did a little investigating. As immediate action, I used a big hammer
>and firewalled off 218/8 until I can figure out what is going on here.
>Yesterday, it was 201/8.

>Below is most of output of netstat. Can someone let me know what is
>going on here? SynFlood?? Also, any suggestions??

>===== BEGIN =====
>Active Internet connections (w/o servers)
>Proto Recv-Q Send-Q Local Address Foreign Address State
>tcp 0 0 x-xx-x-xx-xx.xxxxxxxx:37775 218.25.160.246:ssh
>TIME_WAIT
<snip>

As several folks have noted standard ssh scan (we take between 4 and
5 a day down our entire class B). As this looks to be a unix host try
fail2ban which will block the IP for 5 minutes or so after a number of
failures:

fail2ban: http://www.fail2ban.org/ which blocks via a local firewall

Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada