[K12OSN] SSH

John Lucas mrjohnlucas at gmail.com
Tue Feb 6 01:33:33 UTC 2007 

On Monday 05 February 2007 14:03, Les Mikesell wrote:
> John Lucas wrote:
> > Port scanning is the examination of remote systems for available services
> > and is a usual preliminary used by "crackers" to exploit a vulnerable
> > service for break-in. In this case it probably means that tcp port 22 on
> > *many* remote systems were being probed to see if the service is
> > accessable. Next step would be to determine the version of the service
> > and what platform it is on to see if it can be exploited. As an example a
> > simple "telnet somehost 22" might return: "SSH-1.99-OpenSSH_3.5p1". There
> > could be automated tools that discover vulnerable systems and also
> > automates the exploit (one does not have to be clever).
> >
> > AFAIK there is no current exploit on recent SSH services, so one would
> > have to be looking for really old versions.
>
> There is a lot of brute force password guessing going on, though, so
> there are probably automated scripts and perhaps trojans of some sort
> doing it.  If you have port 22 open inbound, you'll probably see a lot
> of login attempts with user names that don't exist and/or bad passwords.
>

Dictionary attacks don't look like port scanning. The ISP has to clarify what 
it is *exactly* they are responding to. The original poster and one of the 
other responders didn't know what the ISP was referring to, so I tried to 
explain what I *think* they were referring to and (in an earlier post) how to 
go about dealing with the apparent problem.

> If you have a port that can monitor all outbound connections you can:
> tcpdump port 22
> and watch for one internal address trying to connect to a lot of
> different destinations.   If you've connected to the monitor host via
> ssh yourself, make that:
> tcpdump port 22 and not host my_ip_address
> to keep your own traffic from cluttering what you see.

Right, assuming that the protocol analyzer can see the traffic and that the 
offending host can be identified. Many sites use NAT firewalls, making all 
traffic look like it comes from a single host to the outside world (i.e. the 
ISP). The poster would have to give more info about his net in order to get 
more specific assistance. From what has been described so far (next to 
nothing) I wouldn't assume that the scanning even comes from a Linux host. I 
know one thing, if the ISP cut off the entire net (or even completely cut off 
a single host) without direct notification and an exact description of the 
problem, I would be looking for a new ISP. If a user on my net is violating 
the ISPs policies, give me a chance to fix the problem and don't punish all 
my users.

-- 
        "History doesn't repeat itself; at best it rhymes."
                        - Mark Twain

| John Lucas                          MrJohnLucas at gmail.com               |
| St. Thomas, VI 00802                http://mrjohnlucas.googlepages.com/ |
| 18.3°N, 65°W                        AST (UTC-4)                         |

More information about the K12OSN mailing list