[K12OSN] SSH

[Les Mikesell]

John Lucas wrote:
> Port scanning is the examination of remote systems for available services and 
> is a usual preliminary used by "crackers" to exploit a vulnerable service for 
> break-in. In this case it probably means that tcp port 22 on *many* remote 
> systems were being probed to see if the service is accessable. Next step 
> would be to determine the version of the service and what platform it is on 
> to see if it can be exploited. As an example a simple "telnet somehost 22" 
> might return: "SSH-1.99-OpenSSH_3.5p1". There could be automated tools that 
> discover vulnerable systems and also automates the exploit (one does not have 
> to be clever).
> 
> AFAIK there is no current exploit on recent SSH services, so one would have to 
> be looking for really old versions.

There is a lot of brute force password guessing going on, though, so 
there are probably automated scripts and perhaps trojans of some sort 
doing it.  If you have port 22 open inbound, you'll probably see a lot 
of login attempts with user names that don't exist and/or bad passwords.

If you have a port that can monitor all outbound connections you can:
tcpdump port 22
and watch for one internal address trying to connect to a lot of 
different destinations.   If you've connected to the monitor host via 
ssh yourself, make that:
tcpdump port 22 and not host my_ip_address
to keep your own traffic from cluttering what you see.

-- 
   Les Mikesell
    les at futuresource.com