hi everyone

i just wanted to announce a small project that many of you will be
noticing. well, those of you who track your logs. that is all of you now,
isn't it?  <smirk>

ok, basically, here's the deal: a friend of mine, a fellow grad student at
umich, does Internet wide SSH sweeps. he doesn't care much about it except
for statistical purposes. he's an OpenSSH developer, and one of his
research projects tracks SSH usage across the internet. he's preparing a
presentation for the LISA conference this december on his data to date.
one of the things i asked him about, but he's lacking, is data on
correlations of ssh, telnet and/or rsh.

this is where i come in: i have hacked his code, scanssh, to record not
only the SSH version, not also if i can connect to the standard telnet
port (23/TCP) and rsh (513/TCP, SSH's insecure cousin).

as such, if you look you'll probably see a series of connections from my
laptop (tank.cwru.edu), with log entries that look like this:

Oct 26 23:38:14 tank telnetd[17834]: ttloop:  read: Connection reset by peer
Oct 26 20:51:21 tank sshd[16949]: Disconnecting: Your ssh version is too old and is no longer supported.  Please install a newer version. 
Oct 26 20:51:59 tank sshd[15761]: Did not receive identification string from 127.0.0.1. 
Oct 26 20:53:48 tank rlogind[8591]: Connection from 127.0.0.1 on illegal port

if you track it, the version string i am using as a "client" is:

SSH-1.1-SSH_Telnet_RSH_Version_Mapper

my data output files wind up looking like this (IP, SSH/VERSION, telnet
boolean, rsh boolean):

10.10.32.1 SSH-1.99-OpenSSH_3.0, 0, 0
10.10.2.20 SSH-1.5-OpenSSH_2.5.2, 0, 0
10.10.2.21 <refused>, 1, 0
10.10.1.100 SSH-1.99-SSH.COM, 1, 1
10.10.2.200 <refused>, 1, 1

anyhow, just giving you guys some heads up. i'll be sharing the data with
niels (of course), CNS (they're curious about statistics, too), and you
guys since, well, thanks for taking the time to read this and putting up
with my eccentric behavior.

you can find out more info on the following pages:

http://www.citi.umich.edu/u/provos
http://www.openssh.com/

:)		jose		jose@cwru.edu
