Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Nessus-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Nessus Scans are killing SSH daemon

from [Joel Heenan] Network Security [Permanent Link]
Subject: Nessus Scans are killing SSH daemon
Date: Fri, 31 Mar 2006 16:34:55 +1100 
Nessus appears to be killing our sshd daemon on a sarge box. Both
machines have all latest updates, the nessus host is running testing.

It is a fair distance away and seems to perhaps timeout and then dos the
host which causes it to kill all incoming connections.
Restarting sshd fixes the problem.

I'm attempting to isolate which plugin is the culprit, the problem is
that we only recently realised our external host box had been classified
 as a bad host by the firewall because of too many connection attempts
so it has not been doing SSH attemps for a long time. This means it
could be any one of a number of plugins.

Is anyone else experiencing anything similar or can make more sense of
these logs?


Monitor Host:

nessus@monitor:~/NessusManager$ dpkg -l | grep nessus
ii  libnessus2              2.2.7-1                    Nessus shared
libraries
ii  nessus                  2.2.5-4                    Remote network
security auditor, the client
ii  nessus-plugins          2.2.7-1                    Nessus plugins
ii  nessusd                 2.2.5-4                    Remote network
security auditor, the server

SSH after host has been scanned:

jheenan wormhole ~ [16:13:42] $ ssh -v -v home
OpenSSH_4.1p1 Debian-7ubuntu4.1, OpenSSL 0.9.7g 11 Apr 2005
debug1: Reading configuration data /home/jheenan/.ssh/config
debug1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to home [192.168.119.16] port 22.
debug1: Connection established.
debug1: identity file /home/jheenan/.ssh/identity type -1
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /home/jheenan/.ssh/id_rsa type 1
debug1: identity file /home/jheenan/.ssh/id_dsa type -1
ssh_exchange_identification: Connection closed by remote host

Syslog on the host just as the scan starts hitting it:

Mar 31 06:53:05 localhost sshd[28902]: debug1: PAM: setting PAM_TTY to
"/dev/pts/8"
Mar 31 06:53:05 localhost sshd[28903]: debug1: Setting controlling tty
using TIOCSCTTY.
Mar 31 06:53:08 localhost sshd[28876]: debug1: Forked child 28906.
Mar 31 06:53:08 localhost sshd[28906]: Connection from
::ffff:207.210.65.87 port 44025
Mar 31 06:53:16 localhost sshd[28876]: debug1: Forked child 28907.
Mar 31 06:53:16 localhost sshd[28907]: Connection from
::ffff:207.210.65.87 port 44037
Mar 31 06:53:25 localhost sshd[28876]: debug1: Forked child 28908.
Mar 31 06:53:25 localhost sshd[28908]: Connection from
::ffff:207.210.65.87 port 44049
Mar 31 06:53:27 localhost sshd[28876]: debug1: Forked child 28909.
Mar 31 06:53:28 localhost sshd[28909]: Connection from
::ffff:207.210.65.87 port 54429
Mar 31 06:53:28 localhost sshd[28909]: debug1: Client protocol version
2.0; client software version check_ssh_1.27
Mar 31 06:53:28 localhost sshd[28909]: debug1: no match: check_ssh_1.27
Mar 31 06:53:28 localhost sshd[28909]: debug1: Enabling compatibility
mode for protocol 2.0Mar 31 06:53:28 localhost sshd[28909]: debug1:
Local version string SSH-2.0-OpenSSH_3.8.1p1 Debian-8.sarge.4
Mar 31 06:53:28 localhost sshd[28909]: debug1: do_cleanup
Mar 31 06:53:28 localhost sshd[28909]: debug1: PAM: cleanup
Mar 31 06:53:34 localhost sshd[28876]: debug1: Forked child 28911.
Mar 31 06:53:35 localhost sshd[28911]: Connection from
::ffff:207.210.65.87 port 44062
Mar 31 06:53:42 localhost sshd[28876]: debug1: Forked child 28912.
Mar 31 06:53:42 localhost sshd[28912]: Connection from
::ffff:207.210.65.87 port 54449
Mar 31 06:53:43 localhost sshd[28912]: debug1: Client protocol version
2.0; client software version check_ssh_1.27
Mar 31 06:53:43 localhost sshd[28912]: debug1: no match: check_ssh_1.27
Mar 31 06:53:43 localhost sshd[28912]: debug1: Enabling compatibility
mode for protocol 2.0Mar 31 06:53:43 localhost sshd[28912]: debug1:
Local version string SSH-2.0-OpenSSH_3.8.1p1 Debian-8.sarge.4
Mar 31 06:53:43 localhost sshd[28912]: debug1: do_cleanup
Mar 31 06:53:43 localhost sshd[28912]: debug1: PAM: cleanup
Mar 31 06:53:43 localhost sshd[28876]: debug1: Forked child 28914.
Mar 31 06:53:43 localhost sshd[28914]: Connection from
::ffff:207.210.65.87 port 44074
Mar 31 06:53:52 localhost sshd[28876]: debug1: drop connection #10
Mar 31 06:55:02 localhost sshd[27278]: debug1:
server_input_channel_open: ctype direct-tcpip rchan 2 win 131072 max 32768
Mar 31 06:55:02 localhost sshd[27278]: debug1:
server_request_direct_tcpip: originator 127.0.0.1 port 48870, target
localhost port 4949
Mar 31 06:55:02 localhost sshd[27278]: debug1: channel 2: new [direct-tcpip]
Mar 31 06:55:02 localhost sshd[27278]: debug1:
server_input_channel_open: confirm direct-tcpip
Mar 31 06:55:02 localhost sshd[27278]: debug1: channel 2: connected
Mar 31 06:55:03 localhost sshd[28876]: debug1: drop connection #10
Mar 31 06:55:08 localhost sshd[27278]: debug1: channel 2: free:
direct-tcpip, nchannels 3
Mar 31 06:55:12 localhost sshd[28876]: debug1: drop connection #10
Mar 31 06:55:34 localhost sshd[28282]: fatal: Timeout before
authentication for ::ffff:207.210.65.87
Mar 31 06:55:38 localhost sshd[28876]: debug1: drop connection #10

Thanks
-- 
Joel Heenan
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Nessuswx and DB output, Isac Balder
Next by Date:  Nessus plugin 17985 not showing correct info on Nessus 3, Kenneth Shelton
Previous by Thread:  Nessuswx and DB output, Isac Balder
Next by Thread:  Nessus plugin 17985 not showing correct info on Nessus 3, Kenneth Shelton
Indexes:  [Date] [Thread] [Top] [All Lists]