> Some intelligent scripts look at tcp responses to port scans, ssh > responds with SSH-2.0, which isn't too hard to identify. I don't know if > changing the greeting would break the protocol, but I suspect it might > break certain clients.
I wonder if it's possible to "fingerprint" these programs. I actually have a copy of the ssh-scanner that they use. I got it by looking at the hack logs on a Linux server and going to the same FTP site they used (anonymous ftp even ;). The program that most of you see is probably "Skara". If you're interested you run the program by doing "./a xxx.xxx" where xxx.xxx is the first 2 octects of the network you want to scan (it only does class b). Once it finds all the servers running ssh, it then forks and runs "ssh-scan" on each and just crashes through the dictionary, till it finds some servers, and reports the findings. Usually something stupid like "admin/admin" or "vmail/vmail". I ran it on my network to look for things that may have been done sloppily. I actually did find one server where someone had created a user of "test" with the pasword of "test"...nice. As long as you have secure passwords, I'd recomend just logging in as a standard user, and using su so that you don't see all those logs. Keep in mind that they are just kiddies scanning class b's so there's probably better things to worry about. A lot of nice tips though. I've learned a lot about PF just reading the thread. --Bryan