Customer-facing ACLs
Justin Shore
justin at justinshore.com
Sun Mar 9 22:56:42 UTC 2008
Dave Pooser wrote:
>> I can understand the logic of dropping the port, but theres some
>> additional thought involved when looking at Port 22 - maybe i'm not
>> well-read enough, but the bots I've seen that are doing SSH scans, etc,
>> are not usually on Windows systems. I can figure them working on Linux,
>> MacOS systems - but surely the vast majority of 'vulnerable' hosts are
>> those running OS's coming from our favourite megacorp? Which typically
>> don't come shipped with neither SSH server nor SSH client... ?
>
> They typically don't ship with an SMTP server either. Considering that my
> preferred SSH client for Windows weighs in as a single 412k .exe, I'd
> imagine that bot designers are just writing their own SSH clients for
> brute-forcing.
Or are simply writing a bot that sens TCP SYNs to port 22 and are
reporting those hosts that responds with a SYN ACK back to the C&C.
Then the C&C can direct other compromised hosts with a more complete
rootkit (or compromised *nix host) to do brute-force userid/password
guessing.
> Half the Mac users? You think? I know a dozen or so sysadmins who use Macs,
> and about a hundred users who wouldn't know SSH from PCP; I think that's
> probably a slightly skewed sample considering I'm a Mac geek who hangs
> around with Mac geeks, and I'd guess the consumer users are a larger
> percentage of the real-life population. I'd expect the number of folks who
> want SSH unblocked to be under 1% of a consumer broadband network, and
> probably closer to 0.1% or so. And again, it ought to be trivial to let your
> users unblock the system, either via phone call or via self-service Web page
> (though in the latter case you'd better use a captcha or something so the
> bot doesn't automatically unblock itself).
Agreed. I don't think the end-user's OS makes them more or less likely
to be using SSH unless the OS is a BSD or Linux (then I suspect you'd
get a disproportionate # of SSH users compared to the other more simple
OSs).
Justin
More information about the NANOG
mailing list