On the
FreeBSD stable mailing list a posting about a compromised FreeBSD box, led to an interesting discussion about boxes being hammered with SSH probes.
One of the participants posted a list of about
40 hosts which probed his box for weak passwords using SSH.
Several years, when my wife was in another country, I enabled SSH access so she could use fetchmail and pine to read her mail.
Opening port 22 on my firewall of course triggered the same SSH probes. To some of these hosts I could telnet and some after displaying their RedHat login banner prompted me for a login name.
Reading the freebsd-stable discussion I wondered what kind of boxes are initiating these annoying login attempts.
The OpenBSD 'nc' man page shows a simple way to get a box to display the login banner.
Code:
PORT SCANNING
It may be useful to know which ports are open and running services on a
target machine. The -z flag can be used to tell nc to report open ports,
rather than initiate a connection. For example:
$ nc -z host.example.com 20-30
Connection to host.example.com 22 port [tcp/ssh] succeeded!
Connection to host.example.com 25 port [tcp/smtp] succeeded!
The port range was specified to limit the search to ports 20 - 30.
Alternatively, it might be useful to know which server software is run-
ning, and which versions. This information is often contained within the
greeting banners. In order to retrieve these, it is necessary to first
make a connection, and then break the connection when the banner has been
retrieved. This can be accomplished by specifying a small timeout with
the -w flag, or perhaps by issuing a "QUIT" command to the server:
$ echo "QUIT" | nc host.example.com 20-30
SSH-1.99-OpenSSH_3.6.1p2
Protocol mismatch.
220 host.example.com IMS SMTP Receiver Version 0.84 Ready
A simple shell script to probe these hosts
Code:
PORT=22
hosts='
24.69.83.139
24.106.149.2
59.108.230.130
[snip]
218.97.254.206
218.206.233.43
221.202.118.39
222.221.2.210
'
for MACHINE in ${hosts} ; do
printf "%s %s " $(date "+%Y-%m-%d %H:%M:%S") " host $MACHINE "
result=$(echo QUIT | nc ${MACHINE} $PORT)
printf "%s\n" "$result"
done
Because we will redirect the output to
logfile we can use
tail to follow the progress. In another xterm before running the script:
Code:
$ tail -f logfile
tail: logfile: No such file or directory
$ touch logfile
$ tail -f logfile
2009-12-31 00:49:31 host 24.69.83.139 SSH-2.0-OpenSSH_5.1p1 Debian-5
Protocol mismatch.
2009-12-31 00:49:31 host 24.106.149.2 SSH-1.99-OpenSSH_4.3p2
Protocol mismatch.
2009-12-31 00:49:32 host 59.108.230.130 SSH-1.99-OpenSSH_3.9p1
After starting the script with
sh scan-ssh-versions >logfile 2>&1 the 'tailed' logfile showed the first results.
Actually using
tee is a simpler approach.
Code:
$ sh scan-ssh-versions 2>&1 | tee logfile
After seeing som progress for some time, a connection seemed to be stuck.
Code:
$ netstat -an -f inet
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp 0 0 192.168.222.20.42645 211.144.32.185.22 FIN_WAIT_2
tcp 0 0 *.587 *.* LISTEN
tcp 0 0 *.25 *.* LISTEN
tcp 0 0 *.6000 *.* LISTEN
tcp 0 0 *.22 *.* LISTEN
tcp 0 0 *.515 *.* LISTEN
A simple
$ pkill -TERM nc took care of that
Filtering the SSH version answers
Code:
$ grep SSH logfile
2009-12-31 00:49:31 host 24.69.83.139 SSH-2.0-OpenSSH_5.1p1 Debian-5
2009-12-31 00:49:31 host 24.106.149.2 SSH-1.99-OpenSSH_4.3p2
2009-12-31 00:49:32 host 59.108.230.130 SSH-1.99-OpenSSH_3.9p1
2009-12-31 00:49:33 host 60.6.237.54 SSH-1.99-OpenSSH_3.9p1
2009-12-31 00:49:37 host 60.212.42.11 SSH-2.0-OpenSSH_4.0
2009-12-31 00:49:58 host 61.47.34.67 SSH-2.0-OpenSSH_5.1p1 Debian-3ubuntu1
2009-12-31 00:49:59 host 78.40.82.74 SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1
2009-12-31 00:49:59 host 79.136.123.7 SSH-2.0-OpenSSH_5.1p1 Debian-3ubuntu1
2009-12-31 00:49:59 host 79.188.234.58 SSH-2.0-OpenSSH_4.3p2 Debian-9etch3
2009-12-31 00:50:00 host 85.12.25.157 SSH-2.0-OpenSSH_5.1p1 Debian-5
2009-12-31 00:50:00 host 85.38.97.122 SSH-2.0-SSH-2.0-OpenSSH_4.3
2009-12-31 00:50:00 host 85.114.135.208 SSH-2.0-OpenSSH_4.3p2 Debian-9etch3
2009-12-31 00:51:15 host 110.12.64.141 SSH-1.99-OpenSSH_4.3
2009-12-31 00:51:16 host 114.255.100.163 SSH-1.99-OpenSSH_4.7p1
2009-12-31 00:51:19 host 116.28.64.181 SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.5
2009-12-31 00:51:20 host 121.254.228.61 SSH-2.0-OpenSSH_4.3
2009-12-31 00:51:21 host 123.15.41.98 SSH-2.0-OpenSSH_4.3
2009-12-31 00:51:24 host 123.124.236.195 SSH-1.99-OpenSSH_3.9p1
2009-12-31 00:52:46 host 173.10.126.225 SSH-2.0-OpenSSH_4.3
2009-12-31 00:52:46 host 189.108.172.26 SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1.2
2009-12-31 00:54:02 host 195.219.57.189 SSH-2.0-OpenSSH_4.3
2009-12-31 00:54:02 host 202.103.25.246 SSH-2.0-OpenSSH_4.3
2009-12-31 00:55:18 host 203.94.231.11 SSH-2.0-OpenSSH_3.4p1
2009-12-31 00:57:48 host 211.92.149.147 SSH-2.0-OpenSSH_4.3
2009-12-31 02:10:29 host 216.36.150.58 SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1.2
2009-12-31 02:13:00 host 221.202.118.39 SSH-2.0-OpenSSH_4.3
We queried 39 hosts
Code:
$ grep -c host logfile
39
Out of these 39, 26 hosts displayed the SSH version.
Code:
$ grep SSH logfile | wc -l
26
10 out of 26 were Debian based
Code:
$ grep -i Debian logfile | wc -l
10
Remember any box, Windows, Linux or BSD, exposed to the internet, only is as secure as the monkey who administrates it.