Suspicious Log Entry

Could this indicate someone trying to ssh into my linux server?

Oct 21 06:04:06 hp sshd[20947]: Did not receive identification string from
::ffff:211.162.62.3
Oct 21 06:04:08 hp sshd[20948]: Did not receive identification string from
::ffff:211.162.62.3

Hello,

On Wed, 22 Oct 2003, Buck Turgidson wrote:

> Could this indicate someone trying to ssh into my linux server?
> Oct 21 06:04:06 hp sshd[20947]: Did not receive identification string from
> ::ffff:211.162.62.3

Yep.
It could indicate someone connected to your ssh's port for some other
reason, but one thing's sure: Someone connected to your ssh's port.
I don't think it is an implementation of ssh, it would more probably say
that it failed to authorize someone, then.

Hans-Werner Hilse

--
this Message is made of 100% recycled bits & bytes!

Dnia Wed, 22 Oct 2003 16:49:02 +0200, Hans-Werner Hilse napisa³(a):
>> Could this indicate someone trying to ssh into my linux server?
>> Oct 21 06:04:06 hp sshd[20947]: Did not receive identification string from
>> ::ffff:211.162.62.3
>
> Yep.
> It could indicate someone connected to your ssh's port for some other
> reason, but one thing's sure: Someone connected to your ssh's port.
> I don't think it is an implementation of ssh, it would more probably say
> that it failed to authorize someone, then.

There was no authorization. Sshd reports that it didn't receive
identification string in case like this:

% telnet 127.0.0.1
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
SSH-1.99-OpenSSH_3.4p1
^] <-- here we're closing the connection.
telnet> Connection closed.

And then we'll see in logs:

Oct 23 09:32:06 hannibal sshd[395]: Did not receive identification string from 127.0.0.1

Conclusion: someone dropped a connection just after establishing it.

Information gained: version of sshd server.

--
[ Wojtek Walczak - gminick (at) underground.org.pl ]
[ <http://gminick.linuxsecurity.pl/> ]
[ "...rozmaite zwroty, matowe od patyny dawnosci." ]

Il giorno Thu, 23 Oct 2003, Wojtek Walczak così ha scritto:

|Dnia Wed, 22 Oct 2003 16:49:02 +0200, Hans-Werner Hilse napisa?(a):
|>> Could this indicate someone trying to ssh into my linux server?
|>> Oct 21 06:04:06 hp sshd[20947]: Did not receive identification string from
|>> ::ffff:211.162.62.3
|>
|> Yep.
|> It could indicate someone connected to your ssh's port for some other
|> reason, but one thing's sure: Someone connected to your ssh's port.
|> I don't think it is an implementation of ssh, it would more probably say
|> that it failed to authorize someone, then.
|
|There was no authorization. Sshd reports that it didn't receive
|identification string in case like this:
|
|% telnet 127.0.0.1

This is supposed to be: % telnet 127.0.0.1 22

|Trying 127.0.0.1...
|Connected to 127.0.0.1.
|Escape character is '^]'.
|SSH-1.99-OpenSSH_3.4p1
|^] <-- here we're closing the connection.
|telnet> Connection closed.



Sandro


--
Bellum se ipsum alet
La guerra nutre se stessa

Livio, Ab urbe condita, XXXIV,9

>
> % telnet 127.0.0.1
> Trying 127.0.0.1...
> Connected to 127.0.0.1.
> Escape character is '^]'.
> SSH-1.99-OpenSSH_3.4p1
> ^] <-- here we're closing the connection.
> telnet> Connection closed.
>
> And then we'll see in logs:
>
> Oct 23 09:32:06 hannibal sshd[395]: Did not receive identification string
from 127.0.0.1
>
> Conclusion: someone dropped a connection just after establishing it.
>
> Information gained: version of sshd server.


Thanks. Interesting. I keep my server patched, but is there a way to
suppress the version display?

Buck Turgidson wrote:

>>
>> % telnet 127.0.0.1
>> Trying 127.0.0.1...
>> Connected to 127.0.0.1.
>> Escape character is '^]'.
>> SSH-1.99-OpenSSH_3.4p1
>> ^] <-- here we're closing the connection.
>> telnet> Connection closed.
>>
>> And then we'll see in logs:
>>
>> Oct 23 09:32:06 hannibal sshd[395]: Did not receive identification
>> string
> from 127.0.0.1
>>
>> Conclusion: someone dropped a connection just after establishing it.
>>
>> Information gained: version of sshd server.
>
>
> Thanks. Interesting. I keep my server patched, but is there a way to
> suppress the version display?

No, that is an essential part of the ssh protocol. It negotiates through
this what both ends can speak.

EJ
--
Remove the obvious part (including the dot) for my email address
http://www.vanwesten.net for OpenBSD ipf and pf examples

On Wed, 22 Oct 2003 13:25:09 GMT
"Buck Turgidson" <jc_va@hotmail.com> wrote:

> Could this indicate someone trying to ssh into my linux server?
> Oct 21 06:04:06 hp sshd[20947]: Did not receive identification string
> from ::ffff:211.162.62.3

As you stated in the thread, someone dropped the connection. Most
probably it was someone portscanning/banner-grabbing ssh-servers with an
automated scanner, looking for vulnerable systems.

Your ssh-version appears to be quite old, btw ;-) 3.7.1 is current,
check the last entries at http://www.openssh.org/security.html

-m-
--
- Liquid Information - http://www.liquidinfo.net
- E-mail: Remove NOS_PAM if present in address (Usenet)
- PGP: http://www.liquidinfo.net/about.html
--

"Buck Turgidson" <jc_va@hotmail.com> wrote in message news:<2c3ee04423f3e15ed22ad7fc7d5de67b@news.terane ws.com>...
> Could this indicate someone trying to ssh into my linux server?
>
> Oct 21 06:04:06 hp sshd[20947]: Did not receive identification string from
> ::ffff:211.162.62.3
> Oct 21 06:04:08 hp sshd[20948]: Did not receive identification string from
> ::ffff:211.162.62.3

Buck;

It was just a worm scanning for a vulnerable version. If you up on
your patches, just forget it.

-m-