[NBLUG/talk] I'm getting ssh scanned! Should I be worried?

Walter Hansen gandalf at sonic.net
Mon Oct 4 17:00:49 PDT 2004


This is a pretty good idea as far as I'm concerned. So long as there isn't
a link to the page somwhere and the directory the page is in isn't
scanable there's almost no way to find it without a specific brute force
password style attack on the directory in which the page is located. When
the page is requested from afar by you the computers in between are aware
of the request and the page location. Capturing this information and
making anything of it is quite another job and it's not very common that
administrators of upper level computers would stoop to this sort of thing
anyway. I'd avoid using ssh or ip in the name of the page or returning
much of anything (a 404 reply would be real nice). You could even put in a
cron event to delete (or null) the file after five or fifteen minutes if
you really want it tight.

I really like this idea, it got me thinking....
You could do the same thing with all sorts of stuff. Most html editors
like ftp, but I'll only put it up for local network and then end up
working in vi or pico for remote work or doing the whole upload/download
thing after massaging the file locally. I wonder how secure it'd be to use
this for that?


> On Mon, Oct 04, 2004 at 01:25:32PM -0700, troy wrote:
>
>>
>> I have a php script whose name is hopefully tough to guess sitting on my
>> webserver.  Its purpose is to write out a file with the ip address of
>> the person who hits that page.  Then, in /etc/hosts.allow I have:
>>
>> sshd: 192.168.9.  #and so on, for ip's that I trust.
>> sshd: /path/to/ip.txt
>>
>> BTW, I think you've done the right things:
>>
>> 1) you watch your logs
>> 2) you're using strong(er) passwords
>> 3) allowing only your user
>
> Thanks to you & Ron for the reassuring words!
>
>>
>>
>> Oh, and just in case it wasn't clear, ioerror isn't really a "bad
>> guy" ;-)
>
> hmmmm...
>
>>
>> -troy
>>
>> The php script is exceedingly simple, so here it is...
>>
>> <?php
>>
>> function get_ip()
>> {
>> 	return getenv("REMOTE_ADDR");
>> }
>>
>> ?>
>>
>> <?php
>> $out='/path/to/ip.txt';
>> $log='/path/to/iplog.txt';
>>
>> print "Was:";
>> readfile($out);
>> print "<br>";
>> $ip=get_ip();
>> $fp=fopen($out,"w");
>> fputs($fp,$ip);
>> fclose($fp);
>>
>> $lfp=fopen($log,"a");
>> fputs($lfp,$ip);
>> fputs($lfp,"\n");
>> fclose($lfp);
>>
>> print "Wrote: ";
>> readfile($out);
>> ?>
>
> I too am exceedingly simple, so let me make sure I understand your script:
>
> Basically, if you call up this 'sort of secret' php page with a
> browser on some remote machine, it will log the ip address of that
> machine in a file on your home computer.  Then you can log into the
> home box via ssh because it will now see that new ip address in your
> home computer's hosts.allow file, by way of ip.txt.
>
> If I get it, that's pretty clever.  I don't know php, but it seems
> easy enough.  What are the chances of the page being hit by a
> spider-bot of some sort?  I guess an intruder would still need a
> proper user/password pair to get in.
>
> -dave.
>
>
> --
> Dave Sisley
> dsisley at arczip.com
> roth-sisley.net
>
> _______________________________________________
> talk mailing list
> talk at nblug.org
> http://nblug.org/cgi-bin/mailman/listinfo/talk
>
>






More information about the talk mailing list