I run on 22 because other outbound ports are blocked at my place of employment.
My attempts show up in /var/log/auth.log (in Ubuntu). I believe the command I used was `nmap -A -T4 ip.add.re.ss` (it was an example in the man page). Once I noticed the attempts were happening, to block any traffic from them to me, I added the ip address to /etc/hosts.deny, or: `echo "ALL:ip.add.re.ss" >> /etc/hosts.deny` and then reloaded inetd with: `pkill -1 inetd`. I was kind of tempted to create a bunch of accounts using common names and blank passwords and see what would happen if the attempt was successful, but I didn't want to honeypot my main file server. Grant On 11/6/06, Ed Jaeger <[EMAIL PROTECTED]> wrote:
I get them all the time here at the office. Pretty funny list of logins they try - must be a script someone put together. Grant can tell you what he used, but I suspect nmap -O 219.94.133.29 was it. Jeff Shippen wrote: > I used to get such automated attempts every now and then, UNTIL i > changed my ssh listening port number to something other than the default > (22). > To change the default sshd port, edit this file on some (all?) distros: > /etc/ssh/sshd_config. That's where it is on SUSE anyway. > Add a line, "Port 22" where you can replace 22 with any number. > ** > Also, some may not know where to find such attempts. Mine shows up in > /var/log/messages. > > I'm curious, what is the exact command you used (well, the options and > such) with `nmap`? > > Jeff > > Grant Kelly wrote: > >> I noticed someone from 219.94.133.29 scanning my ubuntu box today. >> They were trying to login via SSH from a common list of names. Well, I >> nmap'd em back, here's the results: >> >> Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2006-11-05 >> 14:18 PST >> Interesting ports on 219.94.133.29: >> (The 1656 ports scanned but not shown below are in state: closed) >> PORT STATE SERVICE VERSION >> 21/tcp open ftp vsftpd 2.0.4 >> 22/tcp open ssh OpenSSH 4.3 (protocol 1.99) >> 23/tcp open telnet Linux telnetd >> 25/tcp open smtp qmail smtpd >> 80/tcp open http Apache httpd 2.2.2 ((Fedora)) >> 110/tcp open pop3 qmail pop3d >> 111/tcp open rpcbind 2 (rpc #100000) >> 135/tcp filtered msrpc >> 136/tcp filtered profile >> 137/tcp filtered netbios-ns >> 138/tcp filtered netbios-dgm >> 139/tcp filtered netbios-ssn >> 443/tcp open ssl/http Apache httpd 2.2.2 ((Fedora)) >> 445/tcp filtered microsoft-ds >> 593/tcp filtered http-rpc-epmap >> 888/tcp open ssl/http 3ware 3DM2 Serial RAID http config 2.0 >> 10000/tcp open http Webmin httpd >> 27374/tcp filtered subseven >> >> Service Info: Hosts: kuroha.net, medxis002.my.domain; OSs: Unix, >> Linux; Device: storage-misc >> >> ------- >> >> So if anyone wants to hack on some webmin, visit: >> https://219.94.133.29:10000/ >> or for some sort of RAID configuration utility, visit: >> https://219.94.133.29:888/ >> >> >> Have fun, >> Grant >> >> _______________________________________________ >> RLUG mailing list >> RLUG@rlug.org >> http://lists.rlug.org/mailman/listinfo/rlug >> > _______________________________________________ > RLUG mailing list > RLUG@rlug.org > http://lists.rlug.org/mailman/listinfo/rlug -- Ed Jaeger
_______________________________________________ RLUG mailing list RLUG@rlug.org http://lists.rlug.org/mailman/listinfo/rlug
