Filtrar SSh por MAC

Morenisco morenisco en noc-root.net
Mar Oct 7 17:12:47 CLT 2008 

On Tue, October 7, 2008 2:21 pm, Aldrin Martoq wrote:

[...]

> Ahora, para que necesitas filtrar ssh? se supone que es bastante seguro,
> si sufres de paranoia, cambiarlo de puerto seria mas efectivo.

Naah, no es mas efectivo, por ejemplo, cambie el puerto de ssh al 222:

Nota: cambie la IP real por $IP

1) Escaneo basico:

growing:/etc/ssh# nmap $IP

Starting Nmap 4.62 ( http://nmap.org ) at 2008-10-07 17:03 CLT
Interesting ports on dhcp-santiago2-4fl-loc-10-153-250.cl.oracle.com
(10.157.153.250):
Not shown: 1708 closed ports
PORT     STATE SERVICE
80/tcp   open  http
111/tcp  open  rpcbind
113/tcp  open  auth
222/tcp  open  rsh-spx
902/tcp  open  iss-realsecure
3128/tcp open  squid-http
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 0.313 seconds

--> Algo con remote shell esta siendo indicado en el puerto 222.

2) Le hacemos un telnet al puerto 222:

growing:/etc/ssh# telnet $IP
Trying 10.157.153.250...
Connected to 10.157.153.250.
Escape character is '^]'.
SSH-2.0-OpenSSH_5.1p1 Debian-2
^C^C^C^C^C^C^C
Connection closed by foreign host.

--> Sale al toke, es SSH...

3) Vamos a pedir mas info del puerto:

growing:/etc/ssh# nmap 10.157.153.250 -p 222 -v -sV

Starting Nmap 4.62 ( http://nmap.org ) at 2008-10-07 17:04 CLT
Initiating Parallel DNS resolution of 1 host. at 17:04
Completed Parallel DNS resolution of 1 host. at 17:04, 0.20s elapsed
Initiating SYN Stealth Scan at 17:04
Scanning XXX ($IP) [1 port]
Discovered open port 222/tcp on $IP
Completed SYN Stealth Scan at 17:04, 0.01s elapsed (1 total ports)
Initiating Service scan at 17:04
Scanning 1 service on XXX ($IP)
Completed Service scan at 17:04, 6.00s elapsed (1 service on 1 host)
SCRIPT ENGINE: Initiating script scanning.
Host XXX ($IP) appears to be up ... good.
Interesting ports on XXX ($IP):
PORT    STATE SERVICE VERSION
222/tcp open  ssh      (protocol 2.0)
1 service unrecognized despite returning data. If you know the
service/version, please submit the following fingerprint at
http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port222-TCP:V=4.62%I=7%D=10/7%Time=48EBCEDE%P=i686-pc-linux-gnu%r(NULL,
SF:20,"SSH-2\.0-OpenSSH_5\.1p1\x20Debian-2\r\n");

Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.290 seconds
           Raw packets sent: 1 (44B) | Rcvd: 2 (88B)

Intentar proteger los servicios via esconderlos no sirve, y se le denomina
"seciruty by obscurity".

Saludos.


-- 
Morenisco.

Centro de Difusión del Software Libre.
http://www.cdsl.cl
Blog: http://morenisco.belvil.eu

Más información sobre la lista de distribución Linux