[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] SSH



John Lucas wrote:

There is a lot of brute force password guessing going on, though, so
there are probably automated scripts and perhaps trojans of some sort
doing it.  If you have port 22 open inbound, you'll probably see a lot
of login attempts with user names that don't exist and/or bad passwords.


Dictionary attacks don't look like port scanning.

I suspect they do from the originating side. I see perhaps a dozen or so attempts from one site in a day. I'm guessing, but I think that same site is probably also also sending a dozen attempts to thousands of other places to keep the traffic down to a level that nobody will notice. And it's probably probing random addresses as fast as it can as well as doing some retries on the ones that accept connections.

If you have a port that can monitor all outbound connections you can:
tcpdump port 22
and watch for one internal address trying to connect to a lot of
different destinations.   If you've connected to the monitor host via
ssh yourself, make that:
tcpdump port 22 and not host my_ip_address
to keep your own traffic from cluttering what you see.

Right, assuming that the protocol analyzer can see the traffic and that the offending host can be identified. Many sites use NAT firewalls, making all traffic look like it comes from a single host to the outside world (i.e. the ISP).

If it is your network, you should know where to sniff or how to ask the nat device for its translations. But you could verify that the traffic exists or not even past the nat.

--
  Les Mikesell
   les futuresource com


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]