TCP Port 22

Dayton's Den


Categories
Useful Links
Blog Administration
< McAfee VSE8.7i - Blue screen error when scanning memory for rootkits during an On Demand Scan | TCP/UDP Port 0 >

Tuesday, June 23. 2009

Posted by Jason Robertson in TCP/UDP Ports
Last modified on 2014-08-02 11:06

TCP Port 22

Sample Trace:
06:29:38.496457 IP 192.168.10.123.1237 > 192.168.10.22.22: S 3385009596:3385009596(0) win 16384 <mss 1460,nop,nop,sackOK>

Description:

TCP port 22, is commonly used for SSH versions 1 and 2.  SSH or Secure Shell, is a network protocol, which allows for data to be exchanged in a secure and encrypted channel.  SSH is commonly used to run command line applications, but SSH may also allow for Tunneling of TCP Protocols, as well as X11 packets.
Other functions in SSH is are the capabilities of SCP (Secury Copy), SFTP (Secure FTP) and RSH capabilities.
Authentication for SSH can be done with SSH Keys, which can allow for password-less secured authentication (though this key can also be set with a password), or password authenticated, the latter is less secure, as it can still allow for man-in-the-middle attacks.
SSH v1, should be considered obsolete as there is an inherit weakness in the implementation of version 1.  A second SSH inherit weakness in the protocol is the requirement to trust the SSH Public Keys generated by the user or for the server, so trust is required by both the server administrator and the remote user.

 

Causes:
Recently there has been ongoing scans for this port that when an live server is found, it attempts to brute force passwords, for common accounts including root.  I've personally seen upto 2000 failed connections in a 24 hour period.
 
Suggestions:
Disable SSH V1, this protocol is to be considered obsolete.
Disable SSH Root Access, root should never have direct remote access.
If possible, disable Password authentication.
If possible, move the listening port to another port to reduce the brute force attacks.
Ratelimit incoming connections, on a firewall (on linux iptables' limit, and state modules).
If password authentication is still being used, think of using pam_tally (linux), denyhosts, pam_abl (linux, and you need to use the development code with the latest) to limit brute force attempts.
Secure the user accounts, you can use rbash, or you can chroot the accounts (though this could be a great deal of work).
Links
  • Wikipedia - Wikipedia Entry on SSH
  • OpenSSH - The most common SSH Server in use today.
  • Incidents.org - This is graph of current port scans for SSH Services.

Frontpage - Top level