Re: Strange SSHD Behaviour

From: Seth Arnold (sarnold@wirex.com)
Date: 09/12/02


Date: Wed, 11 Sep 2002 15:09:04 -0700
From: Seth Arnold <sarnold@wirex.com>
To: focus-linux <focus-linux@securityfocus.com>


On Thu, Sep 12, 2002 at 12:55:51AM +0500, Naseer Bhatti wrote:
> Sep 10 01:15:33 redy sshd[5332]: scanned from 66.x.x.253 with
> SSH-1.0-SSH_Version_Mapper_Servers_Alive_3.1.1043. Don't panic.
[...]
> is this some sort of scanning or internal sshd behavior? I am using Open SSH
> 3.4 with Protocol 2 only on Linux. I am getting this from mainly 2 IPs on
> the same network I am. Any help would be appreciated.

This is more or less normal behavior. It means someone on your network
is scanning your ssh daemon to see what version you are running.
Normally, system administrators run this every once in a while to make
sure their users don't have vulnerable ssh daemons running.

http://www.citi.umich.edu/u/provos/ssh/ for the most popular ssh
scanning program.

Just make sure you are up-to-date with openssh patches and don't panic. :)

-- 
It seems the power has been robbed from the founding fathers and is now
firmly in the hand of the funding fathers -- Rik van Riel




Relevant Pages

  • Re: Steady increase in ssh scans
    ... SSH is mearly C00l now! ... I'm also seeing scanning, with lots of syslog messages like the ... > probing that is favoured by most worms. ... I've seen two or three "autorooter" kits using SSH exploits, ...
    (Incidents)
  • Re: OpenSSH 3.4p1 Trouble on SCO 5.0.5?
    ... and I mean *NO* business having any direct exposure to the Internet. ... If you have to run services like SSH to it, it should be through an external firewall with some sort of logging, and preferably not run popular services like SSH on port 22. ... It looks like normal port scanning by crackers. ...
    (comp.unix.sco.misc)
  • Re: hax.tor
    ... In this case, we are not talking about scanning, we are talking about aquiring a simple banner. ... The FBI challenge is one of these, although it is only the second warmup level, so it is still 'too easy', and doesn't provide you with much information - maybe just a smile to make your day as you advance to the other 40 levels. ... On the other hand, the FBI might have had some funny reason to open up that port (which I highly doubt is actually SSH, but who cares), so they probably don't mind anyway. ...
    (Security-Basics)
  • Re: [fw-wiz] Is NAT in OpenBSD PF UPnP enabled or Non UPnP?
    ... >> I start by not giving logins and SSH access to users I don't trust. ... a network topology which goes around the ... >> firewall and thus is a serious hole to network security. ... >> have access via UPnP to, well, anything that device might happen to ...
    (Firewall-Wizards)
  • Re: Security Breached
    ... I have a typical home network that looks like this: ... on both the DMZ and port forward questions. ... I have the vnc port blocked at the router so I presumed it was safe to ... they done it port forwarding over SSH (if your assumption of only SSH ...
    (alt.computer.security)