Re: "Don't panic"?

From: Richard Silverman (res@des.jhy.us.ml.com)
Date: 01/30/02

  • Next message: Joseph Mildenberger: "Non-expert's encryption question" 

    From: Richard Silverman <res@des.jhy.us.ml.com>
Date: 30 Jan 2002 15:42:40 -0500

    >>>>> "MI" == Mike Iglesias <iglesias@draco.acs.uci.edu> writes:

        MI> Well Richard, if you've been scanned almost 60 times this month
        MI> (like we have) by people looking for ssh servers on your network,
        MI> you'd report it too.

    I get scanned quite a bit more than that, and I do not typically "report"
    it to anyone. I connected a machine to the Internet and started an SSH
    server on it. So anyone in the world may make a TCP connection to it.
    The fact that some people I don't know do just that for whatever reason
    (curiosity, boredom, trying to hack me) does not bother me. It's what the
    network is for. If I didn't want that happening, I would use ipsec -- and
    even then, of course, I'd need my ike port open, and random people sending
    traffic to *that* would not bother me.

    The original poster described a single instance. If there were a repeated
    pattern from a particular source, I might report it in the hopes of
    helping the sysadmin there to deal with possibly compromised machines.
    However, it would still only be a heuristic help-the-other-guy out sort of
    thing. A single scan -- or lots of them for that matter -- does not
    constitute abuse.
      
        MI> It's kinda obvious that if you're seeing scans from scanssh,
        MI> someone is mapping sshd versions on your network.
        MI> If you don't know who it's from, I doubt it's friendly.

    Perhaps, and perhaps not -- you don't know yet. But the mere act of
    someone you don't know speaking to your SSH server is not in itself an
    unfriendly act, any more than someone looking in your uncurtained front
    window from the sidewalk constitutes breaking and entering.

    Don't misunderstand me: I understand being cautious, and suspicious even.
    If I see a pattern that I think might be the prelude to an attack, I will
    look into it. However, I see a lot of people asking how to "prevent"
    scans. We have servers with unrestricted Internet connectivity precisely
    to allow us to connect from anywhere. I don't understand getting upset
    when what we deliberately allowed for happens. 

    -- 
 Richard Silverman
 slade@shore.net