[ale] 300,000 failed login attempts in 6 months!!!
Michael B. Trausch
mike at trausch.us
Tue Aug 19 18:21:44 EDT 2008
On Tue, 2008-08-19 at 18:09 -0400, Brian Pitts wrote:
> I assume they scan... port 22. If ssh isn't there either it's not
> running or there's a smart admin. Either way that system is not an
> inviting target.
Yes, but it's fairly trivial to detect it on any machine using a
standard portscan:
Tuesday, 2008-Aug-19 at 18:19:57 - mbt at zest - Linux v2.6.24
Ubuntu Hardy:[0-27/1265-0]:~/ssh-test> sudo nmap -sS -sV 127.0.0.1
Starting Nmap 4.53 ( http://insecure.org ) at 2008-08-19 18:20 EDT
Interesting ports on localhost (127.0.0.1):
Not shown: 1706 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
80/tcp open http lighttpd 1.4.19
111/tcp open rpc
631/tcp open ipp CUPS 1.2
5432/tcp open postgresql PostgreSQL DB
5900/tcp open vnc VNC (protocol 3.7)
8080/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
9050/tcp open tor-socks Tor SOCKS Proxy
Service Info: OS: Linux
Service detection performed. Please report any incorrect results at
http://insecure.org/nmap/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.306 seconds
Of course, port 8080 is not typically used for SSH traffic, it's usually
used for an HTTP proxy. It's easily detected on any port, though...
Are they that easily fooled, or do they just think that a few seconds is
too much time to waste on scanning?
--- Mike
--
My sigfile ran away and is on hiatus.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20080819/6b6fbdd5/attachment.bin
More information about the Ale
mailing list