[ale] 300,000 failed login attempts in 6 months!!!

Jim Lynch ale_nospam at fayettedigital.com
Wed Aug 20 07:54:16 EDT 2008 

Michael B. Trausch wrote:
> On Tue, 2008-08-19 at 18:09 -0400, Brian Pitts wrote:
>   
>> I assume they scan... port 22. If ssh isn't there either it's not
>> running or there's a smart admin. Either way that system is not an
>> inviting target.
>>     
>
> Yes, but it's fairly trivial to detect it on any machine using a
> standard portscan:
>
> Tuesday, 2008-Aug-19 at 18:19:57 - mbt at zest - Linux v2.6.24
> Ubuntu Hardy:[0-27/1265-0]:~/ssh-test> sudo nmap -sS -sV 127.0.0.1
>
> Starting Nmap 4.53 ( http://insecure.org ) at 2008-08-19 18:20 EDT
> Interesting ports on localhost (127.0.0.1):
> Not shown: 1706 closed ports
> PORT     STATE SERVICE    VERSION
> 22/tcp   open  ssh        OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
> 80/tcp   open  http       lighttpd 1.4.19
> 111/tcp  open  rpc
> 631/tcp  open  ipp        CUPS 1.2
> 5432/tcp open  postgresql PostgreSQL DB
> 5900/tcp open  vnc        VNC (protocol 3.7)
> 8080/tcp open  ssh        OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
> 9050/tcp open  tor-socks  Tor SOCKS Proxy
> Service Info: OS: Linux
>
> Service detection performed. Please report any incorrect results at
> http://insecure.org/nmap/submit/ .
> Nmap done: 1 IP address (1 host up) scanned in 6.306 seconds
>
> Of course, port 8080 is not typically used for SSH traffic, it's usually
> used for an HTTP proxy.  It's easily detected on any port, though...
>
> Are they that easily fooled, or do they just think that a few seconds is
> too much time to waste on scanning?
>
> 	--- Mike
>
>   
> ------------------------------------------------------------------------
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
>   

Well, the system I just ran this on has an open ssh port, however it 
isn't listed.

sudo nmap -sS -sV 127.0.0.1

Starting Nmap 4.53 ( http://insecure.org ) at 2008-08-20 07:51 EDT
Interesting ports on localhost.localdomain (127.0.0.1):
Not shown: 1709 closed ports
PORT     STATE SERVICE  VERSION
80/tcp   open  http     Apache httpd 2.2.8
111/tcp  open  rpcbind   2 (rpc #100000)
443/tcp  open  ssl/http Apache httpd 2.2.8
631/tcp  open  ipp      CUPS 1.2
3306/tcp open  mysql    MySQL 5.0.51a-3ubuntu5.1

Service detection performed. Please report any incorrect results at 
http://insecure.org/nmap/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.856 seconds

It's on a non standard port number.

More information about the Ale mailing list