[K12OSN] SSH
Les Mikesell
les at futuresource.com
Tue Feb 6 02:10:45 UTC 2007
John Lucas wrote:
>> There is a lot of brute force password guessing going on, though, so
>> there are probably automated scripts and perhaps trojans of some sort
>> doing it. If you have port 22 open inbound, you'll probably see a lot
>> of login attempts with user names that don't exist and/or bad passwords.
>>
>
> Dictionary attacks don't look like port scanning.
I suspect they do from the originating side. I see perhaps a dozen or
so attempts from one site in a day. I'm guessing, but I think that same
site is probably also also sending a dozen attempts to thousands of
other places to keep the traffic down to a level that nobody will
notice. And it's probably probing random addresses as fast as it can as
well as doing some retries on the ones that accept connections.
>> If you have a port that can monitor all outbound connections you can:
>> tcpdump port 22
>> and watch for one internal address trying to connect to a lot of
>> different destinations. If you've connected to the monitor host via
>> ssh yourself, make that:
>> tcpdump port 22 and not host my_ip_address
>> to keep your own traffic from cluttering what you see.
>
> Right, assuming that the protocol analyzer can see the traffic and that the
> offending host can be identified. Many sites use NAT firewalls, making all
> traffic look like it comes from a single host to the outside world (i.e. the
> ISP).
If it is your network, you should know where to sniff or how to ask the
nat device for its translations. But you could verify that the traffic
exists or not even past the nat.
--
Les Mikesell
les at futuresource.com
More information about the K12OSN
mailing list