[K12OSN] SSH

Abraham Rolick ARolick at fillmore.k12.ca.us
Mon Feb 5 18:59:56 UTC 2007


It will be a bit more involved, but the reporting will be much better if
you consider using an IDS such as Snort.  It has the ability to detect
the scans based on certain criteria that you can define.

-Abe

-----Original Message-----
From: k12osn-bounces at redhat.com [mailto:k12osn-bounces at redhat.com] On
Behalf Of Les Mikesell
Sent: Monday, February 05, 2007 10:03 AM
To: Support list for open source software in schools.
Subject: Re: [K12OSN] SSH

John Lucas wrote:
> Port scanning is the examination of remote systems for available
services and 
> is a usual preliminary used by "crackers" to exploit a vulnerable
service for 
> break-in. In this case it probably means that tcp port 22 on *many*
remote 
> systems were being probed to see if the service is accessable. Next
step 
> would be to determine the version of the service and what platform it
is on 
> to see if it can be exploited. As an example a simple "telnet somehost
22" 
> might return: "SSH-1.99-OpenSSH_3.5p1". There could be automated tools
that 
> discover vulnerable systems and also automates the exploit (one does
not have 
> to be clever).
> 
> AFAIK there is no current exploit on recent SSH services, so one would
have to 
> be looking for really old versions.

There is a lot of brute force password guessing going on, though, so 
there are probably automated scripts and perhaps trojans of some sort 
doing it.  If you have port 22 open inbound, you'll probably see a lot 
of login attempts with user names that don't exist and/or bad passwords.

If you have a port that can monitor all outbound connections you can:
tcpdump port 22
and watch for one internal address trying to connect to a lot of 
different destinations.   If you've connected to the monitor host via 
ssh yourself, make that:
tcpdump port 22 and not host my_ip_address
to keep your own traffic from cluttering what you see.

-- 
   Les Mikesell
    les at futuresource.com


_______________________________________________
K12OSN mailing list
K12OSN at redhat.com
https://www.redhat.com/mailman/listinfo/k12osn
For more info see <http://www.k12os.org>




More information about the K12OSN mailing list