North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Customer-facing ACLs

  • From: Justin Shore
  • Date: Sun Mar 09 19:13:57 2008

Dave Pooser wrote:
I can understand the logic of dropping the port, but theres some
additional thought involved when looking at Port 22 - maybe i'm not
well-read enough, but the bots I've seen that are doing SSH scans, etc,
are not usually on Windows systems. I can figure them working on Linux,
MacOS systems - but surely the vast majority of 'vulnerable' hosts are
those running OS's coming from our favourite megacorp?  Which typically
don't come shipped with neither SSH server nor SSH client... ?

They typically don't ship with an SMTP server either. Considering that my preferred SSH client for Windows weighs in as a single 412k .exe, I'd imagine that bot designers are just writing their own SSH clients for brute-forcing.

Or are simply writing a bot that sens TCP SYNs to port 22 and are reporting those hosts that responds with a SYN ACK back to the C&C. Then the C&C can direct other compromised hosts with a more complete rootkit (or compromised *nix host) to do brute-force userid/password guessing.

Half the Mac users? You think? I know a dozen or so sysadmins who use Macs,
and about a hundred users who wouldn't know SSH from PCP; I think that's
probably a slightly skewed sample considering I'm a Mac geek who hangs
around with Mac geeks, and I'd guess the consumer users are a larger
percentage of the real-life population. I'd expect the number of folks who
want SSH unblocked to be under 1% of a consumer broadband network, and
probably closer to 0.1% or so. And again, it ought to be trivial to let your
users unblock the system, either via phone call or via self-service Web page
(though in the latter case you'd better use a captcha or something so the
bot doesn't automatically unblock itself).

Agreed. I don't think the end-user's OS makes them more or less likely to be using SSH unless the OS is a BSD or Linux (then I suspect you'd get a disproportionate # of SSH users compared to the other more simple OSs).