On Fri, Sep 23, 2005 at 08:24:15PM -0700, Bryan Irvine wrote: > > Some intelligent scripts look at tcp responses to port scans, ssh > > responds with SSH-2.0, which isn't too hard to identify. I don't know if > > changing the greeting would break the protocol, but I suspect it might > > break certain clients. > > I wonder if it's possible to "fingerprint" these programs. I actually > have a copy of the ssh-scanner that they use. I got it by looking at > the hack logs on a Linux server and going to the same FTP site they > used (anonymous ftp even ;). I use the blocker script from this article. Seems to work pretty well. I'd just block Linux but I have a few friends who have yet to see the OpenBSD light. http://www.undeadly.org/cgi?action=article&sid=20041231195454&mode=expanded > > The program that most of you see is probably "Skara". If you're > interested you run the program by doing "./a xxx.xxx" where xxx.xxx is > the first 2 octects of the network you want to scan (it only does > class b). Once it finds all the servers running ssh, it then forks > and runs "ssh-scan" on each and just crashes through the dictionary, > till it finds some servers, and reports the findings. Usually > something stupid like "admin/admin" or "vmail/vmail". I ran it on my > network to look for things that may have been done sloppily. I > actually did find one server where someone had created a user of > "test" with the pasword of "test"...nice. > > As long as you have secure passwords, I'd recomend just logging in as > a standard user, and using su so that you don't see all those logs. Yeah. This is only a threat against *really* weak boxes. Having said that I've seen a lot of posts talking about changing ports. That's a line that I won't cross. I refuse to hide from the bots and it's not even a speedbump against somebody who is a real threat. But that just my personalline in the sand. > > Keep in mind that they are just kiddies scanning class b's so there's > probably better things to worry about. > > A lot of nice tips though. I've learned a lot about PF just reading the > thread. > > > --Bryan >
-- BOFH excuse #345: Having to manually track the satellite.