Might be nice to get a packet trace of it, and add filters to
SealingWafter LKM to just discard packets that match.
-Ober
On Fri, 23 Sep 2005, Bryan Irvine wrote:
Some intelligent scripts look at tcp responses to port scans, ssh
responds with SSH-2.0, which isn't too hard to identify. I don't know if
changing the greeting would break the protocol, but I suspect it might
break certain clients.
I wonder if it's possible to "fingerprint" these programs. I actually
have a copy of the ssh-scanner that they use. I got it by looking at
the hack logs on a Linux server and going to the same FTP site they
used (anonymous ftp even ;).
The program that most of you see is probably "Skara". If you're
interested you run the program by doing "./a xxx.xxx" where xxx.xxx is
the first 2 octects of the network you want to scan (it only does
class b). Once it finds all the servers running ssh, it then forks
and runs "ssh-scan" on each and just crashes through the dictionary,
till it finds some servers, and reports the findings. Usually
something stupid like "admin/admin" or "vmail/vmail". I ran it on my
network to look for things that may have been done sloppily. I
actually did find one server where someone had created a user of
"test" with the pasword of "test"...nice.
As long as you have secure passwords, I'd recomend just logging in as
a standard user, and using su so that you don't see all those logs.
Keep in mind that they are just kiddies scanning class b's so there's
probably better things to worry about.
A lot of nice tips though. I've learned a lot about PF just reading the thread.
--Bryan
