[clug] mc-root anyone?
Paul Wayper
paulway at mabula.net
Wed Jun 24 07:56:25 GMT 2009
On 22/06/09 11:50, Ian Munsie wrote:
>> These people are scanning for connections on port 22. We haven't (yet) seen
>> people trying to actually scan the ports on a remote machine looking for an
>> SSH server. When we do, believe me, you will not be able to move on the
>> internet without hitting three or four sysadmins reconfiguring their
>> external-facing SSH servers.
>
> The reason is simple: If you want to compromise machines, do you:
> a) scan 65,536 ports on a single IP address hoping that you find a
> single SSH server you can then maybe gain access to given that the
> administrator has already changed it's port number; or
> b) scan 65,536 different computers on the default port 22 and check
> each potential hit for vulnerable versions of SSH or failing a known
> SSH vulnerability do some scans for weak passwords?
>
> Naturally the answer to this question depends on the attacker's
> motivation, but in the general case the answer is almost always b. The
> answer will only be a if the attacker has selected a specific target
> or hasn't spent any time thinking about it.
Or if they don't really care how long it takes. Scanning 65535 ports on one
machine takes a couple of minutes - I've heard of methods that take seconds
but never enough details to know whether they work for sure or not. Your
script kiddie has a bunch of machines that aren't his own sitting there
scanning IP ranges for new victims - e's in no rush to get machines, and may
be happy to trade off a bit of speed for better coverage. If the scanners
take longer but still produce results, then e probably doesn't care - e's got
new machines to exploit.
This is why I worry when the gangs start taking attacking Linux machines
seriously. The port scans are already targetting Windows machines - if they
target Linux machines as well you'll be port scanned every minute or so.
OTOH, most Linux distros have a much better firewall than Windows and it's
installed locked down by default, so random Linux machines sitting on an
un-firewalled ADSL connection will still be a hard target to crack.
Just some thoughts,
Paul
More information about the linux
mailing list