Re: Customer-facing ACLs

> Port 22 outbound? And 23?  Telnet and SSH _outbound_
cause that much of a
> concern? I can only assume it's to stop clients
exploited boxen being used
> to anonymise further telnet/ssh attempts - but have to
admit this
> discussion is the first i've heard of it being done 'en
masse'.

On one test machine that I leave SSH unfirewalled on, I'll
see 200-4000 SSH
login attempts per day, trying to brute force it. Lets see,
this morning in
an eight-minute span from one IP in Aruba 100 attempts for
root; other
usernames attempted include admin, staff, sales, office,
alias, stud (!),
trash, guest, test, oracle, a few personal names, apache,
svn, iraf, swsoft,
gast, sirsi and nagios. And this is a relatively slow day.

Telnet I wouldn't know about, but I'm told bots will try to
force it as
well.
-- 
Dave Pooser, ACSA
Manager of Information Services
Alford Media http://www.alfordmedia.com

On Sat, 8 Mar 2008, Dave Pooser wrote:

>
>> Port 22 outbound? And 23?  Telnet and SSH
_outbound_ cause that much of a
>> concern? I can only assume it's to stop clients
exploited boxen being used
>> to anonymise further telnet/ssh attempts - but have
to admit this
>> discussion is the first i've heard of it being done
'en masse'.
>
> On one test machine that I leave SSH unfirewalled on,
I'll see 200-4000 SSH
> login attempts per day, trying to brute force it. Lets
see, this morning in
> an eight-minute span from one IP in Aruba 100 attempts
for root; other
> usernames attempted include admin, staff, sales,
office, alias, stud (!),
> trash, guest, test, oracle, a few personal names,
apache, svn, iraf, swsoft,
> gast, sirsi and nagios. And this is a relatively slow
day.
>
> Telnet I wouldn't know about, but I'm told bots will
try to force it as
> well.


Oh, there's plenty of names in one of my server logs too...
looks almost 
like they've gone through a name-choosing handbook.

I can understand the logic of dropping the port, but theres
some 
additional thought involved when looking at Port 22 - maybe
i'm not 
well-read enough, but the bots I've seen that are doing SSH
scans, etc, 
are not usually on Windows systems. I can figure them
working on Linux, 
MacOS systems - but surely the vast majority of 'vulnerable'
hosts are 
those running OS's coming from our favourite megacorp? 
Which typically 
don't come shipped with neither SSH server nor SSH client...
?

To me, at least half the users likely to be running either
Linux or Mac 
are going to be the same users who're going to request they
be allowed 
outbound SSH.... is the blocking of outbound SSH considered
to be 
sufficiently useful that we're advocating it these days?

(Aren't we all just moving SSH to non-standard ports within
our 
networks anyway?)

... Mark.

On Sat, Mar 08, 2008, Mark Foster wrote:
> 

> To me, at least half the users likely to be running
either Linux or Mac 
> are going to be the same users who're going to request
they be allowed 
> outbound SSH.... is the blocking of outbound SSH
considered to be 
> sufficiently useful that we're advocating it these
days?
> 
> (Aren't we all just moving SSH to non-standard ports
within our 
> networks anyway?)

.. I'm surprised botnets aren't big enough right now to do
surreptitious port
scans of machines (there's 'only' 64k ports nowdays!) over
timeframes measured
in weeks, from arbitrary bots (ie, not a single IP) to get a
scanning footprint
to later submit in the "crack" queue.

Makes me think about Google, to be honest.

Who has more machines, botnets, or google? 




Adrian