![nanog logo](/images/nanog-logo.png)
nanog mailing list archives
Re: Customer-facing ACLs
From: Justin Shore <justin () justinshore com>
Date: Sun, 09 Mar 2008 17:56:42 -0500
Dave Pooser wrote:
I can understand the logic of dropping the port, but theres some additional thought involved when looking at Port 22 - maybe i'm not well-read enough, but the bots I've seen that are doing SSH scans, etc, are not usually on Windows systems. I can figure them working on Linux, MacOS systems - but surely the vast majority of 'vulnerable' hosts are those running OS's coming from our favourite megacorp? Which typically don't come shipped with neither SSH server nor SSH client... ?They typically don't ship with an SMTP server either. Considering that my preferred SSH client for Windows weighs in as a single 412k .exe, I'd imagine that bot designers are just writing their own SSH clients for brute-forcing.
Or are simply writing a bot that sens TCP SYNs to port 22 and are reporting those hosts that responds with a SYN ACK back to the C&C. Then the C&C can direct other compromised hosts with a more complete rootkit (or compromised *nix host) to do brute-force userid/password guessing.
Half the Mac users? You think? I know a dozen or so sysadmins who use Macs, and about a hundred users who wouldn't know SSH from PCP; I think that's probably a slightly skewed sample considering I'm a Mac geek who hangs around with Mac geeks, and I'd guess the consumer users are a larger percentage of the real-life population. I'd expect the number of folks who want SSH unblocked to be under 1% of a consumer broadband network, and probably closer to 0.1% or so. And again, it ought to be trivial to let your users unblock the system, either via phone call or via self-service Web page (though in the latter case you'd better use a captcha or something so the bot doesn't automatically unblock itself).
Agreed. I don't think the end-user's OS makes them more or less likely to be using SSH unless the OS is a BSD or Linux (then I suspect you'd get a disproportionate # of SSH users compared to the other more simple OSs).
Justin
Current thread:
- Re: NANOG laptops (was Re: Customer-facing ACLs), (continued)
- Re: NANOG laptops (was Re: Customer-facing ACLs) Randy Bush (Mar 09)
- Re: NANOG laptops (was Re: Customer-facing ACLs) Jason Lixfeld (Mar 09)
- Re: NANOG laptops (was Re: Customer-facing ACLs) Paul Vixie (Mar 09)
- Re: NANOG laptops (was Re: Customer-facing ACLs) Randy Bush (Mar 09)
- Re: NANOG laptops (was Re: Customer-facing ACLs) Bill Woodcock (Mar 09)
- Re: NANOG laptops (was Re: Customer-facing ACLs) Al Iverson (Mar 09)
- Re: NANOG laptops (was Re: Customer-facing ACLs) Marshall Eubanks (Mar 09)
- Re: NANOG laptops (was Re: Customer-facing ACLs) William Allen Simpson (Mar 09)
- Re: NANOG laptops (was Re: Customer-facing ACLs) Mark Prior (Mar 10)
- Re: NANOG laptops (was Re: Customer-facing ACLs) Bill Woodcock (Mar 09)
- Re: Customer-facing ACLs Justin Shore (Mar 09)
- Re: Customer-facing ACLs Adrian Chadd (Mar 08)
- Re: Customer-facing ACLs Justin Shore (Mar 08)
- Re: Customer-facing ACLs Chris Marlatt (Mar 10)
- Re: Customer-facing ACLs Adrian Chadd (Mar 10)
- Re: Customer-facing ACLs Justin Shore (Mar 10)
- Re: Customer-facing ACLs Marshall Eubanks (Mar 18)
- Re: Customer-facing ACLs Jon Lewis (Mar 18)
- Re: Customer-facing ACLs Adrian Chadd (Mar 18)