[K12OSN] SSH

Rob Owens hick518 at yahoo.com
Mon Feb 5 19:32:01 UTC 2007 

I think John Lucas has got it right in his post below.
 Your ISP is saying that somebody on *your* network is
doing 
the port-scanning.

If it's coming from a Linux machine, the program being
used is probably nmap.  Here's an idea that I don't
know how to 
implement, but perhaps someone on the list could help:
 Replace your nmap binary with a script that reports
to you who 
called that script (ie, which user attempted to use
nmap).  I would only do this if there are no
legitimate reasons 
for your users to use nmap.

-Rob

On Mon, Feb 05, 2007 at 01:24:50PM -0400, John Lucas
wrote:
> It is important that you find out who on your
network is port scanning. If you 
> are behind a NAT firewall, it could be coming from
any host on your net, not 
> just the Linux hosts. First step would be to monitor
your net just *inside* 
> your perimeter firewall with a protocol analyzer
(filtering tcp port 22) to 
> find out which host is doing the scanning. If you
connect to the firewall 
> through a switch, you will have to put the protocol
analyzer (i.e. ethereal) 
> on "monitor port" on a managed switch or insert a
hub (not a switch) inline 
> on an unmanaged switch so that all net traffic can
be "seen" by the analyzer.
> 
> Next find out who is logged into that host and what
processes are running. If 
> it *is* your linux host, look for who is running
typical scanning programs 
> (i.e. nmap) and deal with that user. You can also
disable or remove such 
> software by changing ownership and permissions
(allow only those in group 
> wheel to run nmap for instance). Linux hosts are not
the only ones capable of 
> port scanning.
> 
> There is the possibility that some computer on your
net has been hacked. Check 
> out the procedures for recovery at
http://www.cert.org/
> 
> It is also possible that your ISP has jumped the
gun, so insist on seeing the 
> evidence and make sure it is scanning and not
legitimate ssh usage. You might 
> restrict outgoing traffic more strictly, including
blocking outgoing ssh 
> traffic until the problem is found and fixed. You
could (for instance) block 
> outgoing outbound tcp/22, and still run sshd on an
alternate port for 
> incoming traffic (in a pinch).
> 
> That ought to get you started; good luck.
> 
> 
> On Monday 05 February 2007 12:25, Tim Hart wrote:
> > I am getting my Linux servers shut down by by ISP
for outbound ssh
> > scanning. I can turn it off but would like to know
what the issue could be
> > so I can still use ssh. Ideas?
> >
> > Tim
> >
> > _______________________________________________
> > K12OSN mailing list
> > K12OSN at redhat.com
> > https://www.redhat.com/mailman/listinfo/k12osn
> > For more info see <http://www.k12os.org>
> 
> -- 
>         "History doesn't repeat itself; at best it
rhymes."
>                         - Mark Twain
> 
> | John Lucas                         
MrJohnLucas at gmail.com               |
> | St. Thomas, VI 00802               
http://mrjohnlucas.googlepages.com/ |
> | 18.3°N, 65°W                        AST (UTC-4)   
                     |
> 
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
> 



 
____________________________________________________________________________________
Be a PS3 game guru.
Get your game face on with the latest PS3 news and previews at Yahoo! Games.
http://videogames.yahoo.com/platform?platform=120121

More information about the K12OSN mailing list