[K12OSN] SSH

[Les Mikesell]

John Lucas wrote:

>> There is a lot of brute force password guessing going on, though, so
>> there are probably automated scripts and perhaps trojans of some sort
>> doing it.  If you have port 22 open inbound, you'll probably see a lot
>> of login attempts with user names that don't exist and/or bad passwords.
>>
> 
> Dictionary attacks don't look like port scanning.

I suspect they do from the originating side.  I see perhaps a dozen or 
so attempts from one site in a day.  I'm guessing, but I think that same 
site is probably also also sending a dozen attempts to thousands of 
other places to keep the traffic down to a level that nobody will 
notice.  And it's probably probing random addresses as fast as it can as 
  well as doing some retries on the ones that accept connections.

>> If you have a port that can monitor all outbound connections you can:
>> tcpdump port 22
>> and watch for one internal address trying to connect to a lot of
>> different destinations.   If you've connected to the monitor host via
>> ssh yourself, make that:
>> tcpdump port 22 and not host my_ip_address
>> to keep your own traffic from cluttering what you see.
> 
> Right, assuming that the protocol analyzer can see the traffic and that the 
> offending host can be identified. Many sites use NAT firewalls, making all 
> traffic look like it comes from a single host to the outside world (i.e. the 
> ISP).

If it is your network, you should know where to sniff or how to ask the 
nat device for its translations.  But you could verify that the traffic 
exists or not even past the nat.

-- 
   Les Mikesell
    les at futuresource.com