[K12OSN] SSH
Abraham Rolick
ARolick at fillmore.k12.ca.us
Mon Feb 5 18:59:56 UTC 2007
It will be a bit more involved, but the reporting will be much better if
you consider using an IDS such as Snort. It has the ability to detect
the scans based on certain criteria that you can define.
-Abe
-----Original Message-----
From: k12osn-bounces at redhat.com [mailto:k12osn-bounces at redhat.com] On
Behalf Of Les Mikesell
Sent: Monday, February 05, 2007 10:03 AM
To: Support list for open source software in schools.
Subject: Re: [K12OSN] SSH
John Lucas wrote:
> Port scanning is the examination of remote systems for available
services and
> is a usual preliminary used by "crackers" to exploit a vulnerable
service for
> break-in. In this case it probably means that tcp port 22 on *many*
remote
> systems were being probed to see if the service is accessable. Next
step
> would be to determine the version of the service and what platform it
is on
> to see if it can be exploited. As an example a simple "telnet somehost
22"
> might return: "SSH-1.99-OpenSSH_3.5p1". There could be automated tools
that
> discover vulnerable systems and also automates the exploit (one does
not have
> to be clever).
>
> AFAIK there is no current exploit on recent SSH services, so one would
have to
> be looking for really old versions.
There is a lot of brute force password guessing going on, though, so
there are probably automated scripts and perhaps trojans of some sort
doing it. If you have port 22 open inbound, you'll probably see a lot
of login attempts with user names that don't exist and/or bad passwords.
If you have a port that can monitor all outbound connections you can:
tcpdump port 22
and watch for one internal address trying to connect to a lot of
different destinations. If you've connected to the monitor host via
ssh yourself, make that:
tcpdump port 22 and not host my_ip_address
to keep your own traffic from cluttering what you see.
--
Les Mikesell
les at futuresource.com
_______________________________________________
K12OSN mailing list
K12OSN at redhat.com
https://www.redhat.com/mailman/listinfo/k12osn
For more info see <http://www.k12os.org>
More information about the K12OSN
mailing list