Guess user/pass to try based on sshd server version

[df7cb]

We've successfully deployed last week's version of antissh on OFTC, and it has already caught 300-something bad hosts, so thanks! I'm not confident however with hammering everyone connecting with 20 ssh logins. Would it be possible to look at the sshd server version string, and make the list of users/passwords to try depend on that? I'd guess that would reduce the number of combinations that make sense to try by a great amount.

[mweinelt]

Probably possibly when running in a callback-style fashion¹, but I'm not sure the added complexity is helpful, especially when it comes to mapping banners to login credentials.

On hackint we could reduce the amount of legitimate users being scanned drastically by whitelisting countries² were spam didn't originate from, maybe that can reduce the number of users you're hammering as well.

[1] https://asyncssh.readthedocs.io/en/latest/#callback-example [2] https://github.com/kaniini/antissh/blob/master/antissh.conf.example#L38-L42

[kaniini]

sshd server version isn't reliable, but i was linked to some discussions involving key factorization. looked into it, and we might be able to use known factors to constrain the logins checked. basically mikrotik devices and other devices have weak keys.

e.g. http://btcbase.org/log/2018-08-10#1840633