[Openvas-discuss] Missleading messages about opened SSH-Port (22)

Thomas Reinke lists at securityspace.com
Fri Sep 11 16:41:11 CEST 2009

Ewgenij Zharovsky wrote:
> Hello everybody, I'm new to this list. I did some security scans with
> OpenVAS for my employer and ran into the following problem: OpenVAS
> reports the SSH port (22) to be opened almost on every run. Even in a
> run over a range of IPs, it gives me an opened SSH port for ips where
> actually no machine is running. As well as for machines, where the

That sounds like someone (firewall?) is intercepting traffic and
responding on behalf of the nonexistant IP.

> 22nd port is blocked by the firewall... My question is, is this a bug
> or a feature and if there is a possibility to determine _reliably_ if
> the SSH port is opened or closed on a certain machine. And if it is
> possible, then what configuration shall I try for the OpenVAS? Thanks
> in advance, Evgeniy

Are you scanning through a firewall?  As an aside, beware, there can
be a lot of problems with that.

We've seen plenty of cases where an open port was missed for one reason
or another (network hiccups - as in mini-outages, latency issues
exceeding timeout limits, etc.) but we've never seen a case where a
scanner would report an open port where none was open. Everytime that
issue has arisen, some piece of equipment, answering to the IP address
in question, really did open up the socket connection on the given port.

It would help if you could let us know
   a) which tests are tripping positive;
   b) was any signature reported for the port in question (such
      as a version of SSH running)

You may also want to investigate a packet capture utility.
A trace on port 22 would be very interesting to see.
tcpdump/wireshark are your friends here.


More information about the Openvas-discuss mailing list