Re: Internet SSH scans

["Jamie Riden" <jamie.riden () gmail com>]

[sorry, I managed to cc this to bugtraq rather than incidents first time around]

On 03/03/06, Alexandre H <alexandre.hamelin () gmail com> wrote:
> Hi,
>
> I've witnessed what I think is an increase in SSH scans over the
> Internet in the past four or five weeks. The scan seems to originate
> from various countries around the globe which makes me think of it to be
> a worm-like spreading virus searching for vulnerable systems running the
> SSH service. I confirmed the attack with a friend of mine who also
> happens to run a SSH server at home. We both live in Montreal, QC,
> Canada and are using the same ISP.

I think I've been seeing scans for a year or two now, but the password
guessing seemed to be fairly plentiful for the whole of last year. I
saw a couple of boxes compromised through 'temporary' accounts like
upload/upload which had escaped the admin's notice.

My suggested mitigation is to move SSH to an alternate port, possibly
go to key pair authentication rather than password, restrict what IP
addresses are allowed to connect to sshd as far as possible and/or use
crack/john to ensure that people don't set dumb passwords.

cheers,
 Jamie

(In case anyone is interested in the gory details - one compromised
box had some privilege escalation exploits uploaded, someone tried to
use it for sending ebay phishing emails, and then started it scanning
for other weak ssh passwords as well -
http://www.infosecwriters.com/texts.php?op=display&id=402 )