SSH Scanning
SSH Scanning can be very detrimental to a network, and the
machines on the network. When an ssh server is compromised,
usually due to a vulnerability on the server being
exploited, it can begin to scan other machines over TCP
port 22, attempting to log on.
An example of this
action is found below. This is an off-campus machine
scanning a large number of hosts on the Texas A&M
University network. Only 1,000 attempts are shown in
the example, but over 226,000 were tried.
SSH Scanning Example
If a machine on the Texas A&M University campus was found
to be scanning other TAMU machines, or off-campus machines,
in this manner, it will be immediately blocked. To prevent
this from occurring, please make sure to keep your SSH
server updated with the latest patches, and that strong
passwords are used.
Please contact the CIS
Network Security Team with any questions.