[K12OSN] SSH

John Lucas mrjohnlucas at gmail.com
Mon Feb 5 17:24:50 UTC 2007 

It is important that you find out who on your network is port scanning. If you 
are behind a NAT firewall, it could be coming from any host on your net, not 
just the Linux hosts. First step would be to monitor your net just *inside* 
your perimeter firewall with a protocol analyzer (filtering tcp port 22) to 
find out which host is doing the scanning. If you connect to the firewall 
through a switch, you will have to put the protocol analyzer (i.e. ethereal) 
on "monitor port" on a managed switch or insert a hub (not a switch) inline 
on an unmanaged switch so that all net traffic can be "seen" by the analyzer.

Next find out who is logged into that host and what processes are running. If 
it *is* your linux host, look for who is running typical scanning programs 
(i.e. nmap) and deal with that user. You can also disable or remove such 
software by changing ownership and permissions (allow only those in group 
wheel to run nmap for instance). Linux hosts are not the only ones capable of 
port scanning.

There is the possibility that some computer on your net has been hacked. Check 
out the procedures for recovery at http://www.cert.org/

It is also possible that your ISP has jumped the gun, so insist on seeing the 
evidence and make sure it is scanning and not legitimate ssh usage. You might 
restrict outgoing traffic more strictly, including blocking outgoing ssh 
traffic until the problem is found and fixed. You could (for instance) block 
outgoing outbound tcp/22, and still run sshd on an alternate port for 
incoming traffic (in a pinch).

That ought to get you started; good luck.


On Monday 05 February 2007 12:25, Tim Hart wrote:
> I am getting my Linux servers shut down by by ISP for outbound ssh
> scanning. I can turn it off but would like to know what the issue could be
> so I can still use ssh. Ideas?
>
> Tim
>
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>

-- 
        "History doesn't repeat itself; at best it rhymes."
                        - Mark Twain

| John Lucas                          MrJohnLucas at gmail.com               |
| St. Thomas, VI 00802                http://mrjohnlucas.googlepages.com/ |
| 18.3°N, 65°W                        AST (UTC-4)                         |

More information about the K12OSN mailing list