|
General software and network General OS-independent software and network questions, X11, MTA, routing, etc. |
|
Thread Tools | Display Modes |
|
|
|||
Discovering SSH versions of compromised hosts with nc(1)
On the
FreeBSD stable mailing list a posting about a compromised FreeBSD box, led to an interesting discussion about boxes being hammered with SSH probes. One of the participants posted a list of about 40 hosts which probed his box for weak passwords using SSH. Several years, when my wife was in another country, I enabled SSH access so she could use fetchmail and pine to read her mail. Opening port 22 on my firewall of course triggered the same SSH probes. To some of these hosts I could telnet and some after displaying their RedHat login banner prompted me for a login name. Reading the freebsd-stable discussion I wondered what kind of boxes are initiating these annoying login attempts. The OpenBSD 'nc' man page shows a simple way to get a box to display the login banner. Code:
PORT SCANNING It may be useful to know which ports are open and running services on a target machine. The -z flag can be used to tell nc to report open ports, rather than initiate a connection. For example: $ nc -z host.example.com 20-30 Connection to host.example.com 22 port [tcp/ssh] succeeded! Connection to host.example.com 25 port [tcp/smtp] succeeded! The port range was specified to limit the search to ports 20 - 30. Alternatively, it might be useful to know which server software is run- ning, and which versions. This information is often contained within the greeting banners. In order to retrieve these, it is necessary to first make a connection, and then break the connection when the banner has been retrieved. This can be accomplished by specifying a small timeout with the -w flag, or perhaps by issuing a "QUIT" command to the server: $ echo "QUIT" | nc host.example.com 20-30 SSH-1.99-OpenSSH_3.6.1p2 Protocol mismatch. 220 host.example.com IMS SMTP Receiver Version 0.84 Ready Code:
PORT=22 hosts=' 24.69.83.139 24.106.149.2 59.108.230.130 [snip] 218.97.254.206 218.206.233.43 221.202.118.39 222.221.2.210 ' for MACHINE in ${hosts} ; do printf "%s %s " $(date "+%Y-%m-%d %H:%M:%S") " host $MACHINE " result=$(echo QUIT | nc ${MACHINE} $PORT) printf "%s\n" "$result" done Code:
$ tail -f logfile tail: logfile: No such file or directory $ touch logfile $ tail -f logfile 2009-12-31 00:49:31 host 24.69.83.139 SSH-2.0-OpenSSH_5.1p1 Debian-5 Protocol mismatch. 2009-12-31 00:49:31 host 24.106.149.2 SSH-1.99-OpenSSH_4.3p2 Protocol mismatch. 2009-12-31 00:49:32 host 59.108.230.130 SSH-1.99-OpenSSH_3.9p1 Actually using tee is a simpler approach. Code:
$ sh scan-ssh-versions 2>&1 | tee logfile Code:
$ netstat -an -f inet Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp 0 0 192.168.222.20.42645 211.144.32.185.22 FIN_WAIT_2 tcp 0 0 *.587 *.* LISTEN tcp 0 0 *.25 *.* LISTEN tcp 0 0 *.6000 *.* LISTEN tcp 0 0 *.22 *.* LISTEN tcp 0 0 *.515 *.* LISTEN Filtering the SSH version answers Code:
$ grep SSH logfile 2009-12-31 00:49:31 host 24.69.83.139 SSH-2.0-OpenSSH_5.1p1 Debian-5 2009-12-31 00:49:31 host 24.106.149.2 SSH-1.99-OpenSSH_4.3p2 2009-12-31 00:49:32 host 59.108.230.130 SSH-1.99-OpenSSH_3.9p1 2009-12-31 00:49:33 host 60.6.237.54 SSH-1.99-OpenSSH_3.9p1 2009-12-31 00:49:37 host 60.212.42.11 SSH-2.0-OpenSSH_4.0 2009-12-31 00:49:58 host 61.47.34.67 SSH-2.0-OpenSSH_5.1p1 Debian-3ubuntu1 2009-12-31 00:49:59 host 78.40.82.74 SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1 2009-12-31 00:49:59 host 79.136.123.7 SSH-2.0-OpenSSH_5.1p1 Debian-3ubuntu1 2009-12-31 00:49:59 host 79.188.234.58 SSH-2.0-OpenSSH_4.3p2 Debian-9etch3 2009-12-31 00:50:00 host 85.12.25.157 SSH-2.0-OpenSSH_5.1p1 Debian-5 2009-12-31 00:50:00 host 85.38.97.122 SSH-2.0-SSH-2.0-OpenSSH_4.3 2009-12-31 00:50:00 host 85.114.135.208 SSH-2.0-OpenSSH_4.3p2 Debian-9etch3 2009-12-31 00:51:15 host 110.12.64.141 SSH-1.99-OpenSSH_4.3 2009-12-31 00:51:16 host 114.255.100.163 SSH-1.99-OpenSSH_4.7p1 2009-12-31 00:51:19 host 116.28.64.181 SSH-2.0-OpenSSH_4.2p1 Debian-7ubuntu3.5 2009-12-31 00:51:20 host 121.254.228.61 SSH-2.0-OpenSSH_4.3 2009-12-31 00:51:21 host 123.15.41.98 SSH-2.0-OpenSSH_4.3 2009-12-31 00:51:24 host 123.124.236.195 SSH-1.99-OpenSSH_3.9p1 2009-12-31 00:52:46 host 173.10.126.225 SSH-2.0-OpenSSH_4.3 2009-12-31 00:52:46 host 189.108.172.26 SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1.2 2009-12-31 00:54:02 host 195.219.57.189 SSH-2.0-OpenSSH_4.3 2009-12-31 00:54:02 host 202.103.25.246 SSH-2.0-OpenSSH_4.3 2009-12-31 00:55:18 host 203.94.231.11 SSH-2.0-OpenSSH_3.4p1 2009-12-31 00:57:48 host 211.92.149.147 SSH-2.0-OpenSSH_4.3 2009-12-31 02:10:29 host 216.36.150.58 SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1.2 2009-12-31 02:13:00 host 221.202.118.39 SSH-2.0-OpenSSH_4.3 Code:
$ grep -c host logfile 39 Code:
$ grep SSH logfile | wc -l 26 Code:
$ grep -i Debian logfile | wc -l 10
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Quote:
Handy write up though J65nko, thx for the efforts.
__________________
The more you learn, the more you realize how little you know .... |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Red Hat servers compromised | tanked | Other BSD and UNIX/UNIX-like | 10 | 25th August 2008 04:41 PM |
Both versions installing in same location, & can't delete | jaymax | FreeBSD General | 5 | 9th June 2008 06:25 PM |