[clug] mc-root anyone?

Paul Wayper paulway at mabula.net
Wed Jun 24 07:56:25 GMT 2009


On 22/06/09 11:50, Ian Munsie wrote:
>> These people are scanning for connections on port 22.  We haven't (yet) seen
>> people trying to actually scan the ports on a remote machine looking for an
>> SSH server.  When we do, believe me, you will not be able to move on the
>> internet without hitting three or four sysadmins reconfiguring their
>> external-facing SSH servers.
>
> The reason is simple: If you want to compromise machines, do you:
> a) scan 65,536 ports on a single IP address hoping that you find a
> single SSH server you can then maybe gain access to given that the
> administrator has already changed it's port number; or
> b) scan 65,536 different computers on the default port 22 and check
> each potential hit for vulnerable versions of SSH or failing a known
> SSH vulnerability do some scans for weak passwords?
>
> Naturally the answer to this question depends on the attacker's
> motivation, but in the general case the answer is almost always b. The
> answer will only be a if the attacker has selected a specific target
> or hasn't spent any time thinking about it.

Or if they don't really care how long it takes.  Scanning 65535 ports on one 
machine takes a couple of minutes - I've heard of methods that take seconds 
but never enough details to know whether they work for sure or not.  Your 
script kiddie has a bunch of machines that aren't his own sitting there 
scanning IP ranges for new victims - e's in no rush to get machines, and may 
be happy to trade off a bit of speed for better coverage.  If the scanners 
take longer but still produce results, then e probably doesn't care - e's got 
new machines to exploit.

This is why I worry when the gangs start taking attacking Linux machines 
seriously.  The port scans are already targetting Windows machines - if they 
target Linux machines as well you'll be port scanned every minute or so. 
OTOH, most Linux distros have a much better firewall than Windows and it's 
installed locked down by default, so random Linux machines sitting on an 
un-firewalled ADSL connection will still be a hard target to crack.

Just some thoughts,

Paul


More information about the linux mailing list