SSH newbie interested in security concerns
This is a discussion on SSH newbie interested in security concerns within the Linux Security forums, part of the System Security and Security Related category; I am using Slackware 9.1 and recently decided to try out some basic ethernet usage. I connected another machine ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
11-24-2004
|
|||
|
|||
SSH newbie interested in security concerns
I am using Slackware 9.1 and recently decided to try out some basic
ethernet usage. I connected another machine with the same OS via a crossover cable and by using some straightforward online tutorials got NFS up and running. I can ping both ways and mount the drives. I then tried out ssh to see if I could do some basic stuff in that way. Things looked fine and everything is working as I thought it would, again using some very basic online help type pages. The next step in my learning process was IP masquerading and trying to use the client to dial on the server. I use a dial-up with dynamic IP addresses btw. It worked just fine, much to my surprise to be honest. ;-) In my testing and such I kept an eye on the logs and found something which made me wonder if I am really doing anywhere near enough in regards to security now that I am using such new services. Here is what my /var/log/messages has been spitting out: Nov 21 21:07:53 celephais sshd[9543]: Did not receive identification string from 202.164.35.46 Nov 21 21:18:18 celephais sshd[9545]: Failed password for nobody from 202.164.35.46 port 40845 ssh2 Nov 21 21:18:22 celephais sshd[9547]: Illegal user patrick from 202.164.35.46 Nov 21 21:18:22 celephais sshd[9547]: Failed password for illegal user patrick from 202.164.35.46 port 41269 ssh2 Nov 21 21:18:27 celephais sshd[9549]: Illegal user patrick from 202.164.35.46 Nov 21 21:18:27 celephais sshd[9549]: Failed password for illegal user patrick from 202.164.35.46 port 41704 ssh2 Nov 21 21:18:31 celephais sshd[9551]: Failed password for root from 202.164.35.46 port 42136 ssh2 Nov 21 21:18:35 celephais sshd[9553]: Failed password for root from 202.164.35.46 port 42602 ssh2 Nov 21 21:18:39 celephais sshd[9555]: Failed password for root from 202.164.35.46 port 43032 ssh2 Nov 21 21:18:44 celephais sshd[9557]: Failed password for root from 202.164.35.46 port 43466 ssh2 Nov 21 21:18:48 celephais sshd[9559]: Failed password for root from 202.164.35.46 port 43899 ssh2 Nov 21 21:18:52 celephais sshd[9561]: Illegal user rolo from 202.164.35.46 Nov 21 21:18:52 celephais sshd[9561]: Failed password for illegal user rolo from 202.164.35.46 port 43951 ssh2 Nov 21 21:18:57 celephais sshd[9563]: Illegal user iceuser from 202.164.35.46 Nov 21 21:18:57 celephais sshd[9563]: Failed password for illegal user iceuser from 202.164.35.46 port 44517 ssh2 Nov 21 21:19:01 celephais sshd[9565]: Illegal user horde from 202.164.35.46 Nov 21 21:19:01 celephais sshd[9565]: Failed password for illegal user horde from 202.164.35.46 port 44965 ssh2 Nov 21 21:19:05 celephais sshd[9567]: Illegal user cyrus from 202.164.35.46 Nov 21 21:19:05 celephais sshd[9567]: Failed password for illegal user cyrus from 202.164.35.46 port 45393 ssh2 Nov 21 21:19:09 celephais sshd[9569]: Illegal user www from 202.164.35.46 Nov 21 21:19:09 celephais sshd[9569]: Failed password for illegal user www from 202.164.35.46 port 45870 ssh2 Nov 21 21:19:14 celephais sshd[9571]: Illegal user wwwrun from 202.164.35.46 Nov 21 21:19:14 celephais sshd[9571]: Failed password for illegal user wwwrun from 202.164.35.46 port 46297 ssh2 Nov 21 21:19:18 celephais sshd[9573]: Illegal user matt from 202.164.35.46 Nov 21 21:19:18 celephais sshd[9573]: Failed password for illegal user matt from 202.164.35.46 port 46714 ssh2 Nov 21 21:19:22 celephais sshd[9575]: Illegal user test from 202.164.35.46 Nov 21 21:19:22 celephais sshd[9575]: Failed password for illegal user test from 202.164.35.46 port 46896 ssh2 Nov 21 21:19:27 celephais sshd[9577]: Illegal user test from 202.164.35.46 Nov 21 21:19:27 celephais sshd[9577]: Failed password for illegal user test from 202.164.35.46 port 47392 ssh2 Nov 21 21:19:31 celephais sshd[9579]: Illegal user test from 202.164.35.46 Nov 21 21:19:31 celephais sshd[9579]: Failed password for illegal user test from 202.164.35.46 port 47885 ssh2 Nov 21 21:19:36 celephais sshd[9581]: Illegal user test from 202.164.35.46 Nov 21 21:19:36 celephais sshd[9581]: Failed password for illegal user test from 202.164.35.46 port 48302 ssh2 Nov 21 21:19:40 celephais sshd[9583]: Illegal user www-data from 202.164.35.46 Nov 21 21:19:40 celephais sshd[9583]: Failed password for illegal user www-data from 202.164.35.46 port 48768 ssh2 and so on. This certainly seems to indicate a repetitive attempt to intrude into my system using sshd. How concerned should I be, and what can I do to help ensure failures on their part? I have tried numerous websearches but cannot seem to nail down any real info directly relating to these data. Thanks in advance, cothrige 
|
|
11-25-2004
|
|||
|
|||
|
Re: SSH newbie interested in security concerns
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 cothrige wrote: | I am using Slackware 9.1 and recently decided to try out some basic | ethernet usage. I connected another machine with the same OS via a | crossover cable and by using some straightforward online tutorials got NFS | up and running. I can ping both ways and mount the drives. I then tried | out ssh to see if I could do some basic stuff in that way. Things looked | fine and everything is working as I thought it would, again using some | very basic online help type pages. | | The next step in my learning process was IP masquerading and trying to use | the client to dial on the server. I use a dial-up with dynamic IP | addresses btw. It worked just fine, much to my surprise to be honest. ;-) | In my testing and such I kept an eye on the logs and found something which | made me wonder if I am really doing anywhere near enough in regards to | security now that I am using such new services. | | Here is what my /var/log/messages has been spitting out: <...snip...> this kind of attack was mentioned in a few early posts. as long as you have strong passwords (and your users dont give away their password) and sshd is configured correctly then you shouldn't worry too much about it. you'll see MANY more attempts to hack into your machine in the future, get used to huge logs. i hope you have a firewall in front of this machine? - -- Marco Benton - BOFH, BSMFH Network Consultant BOFH excuse #317: The cause of the problem is: Your EMAIL is now being delivered by the USPS. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBpTie2+PYgoYkw8ERArhtAJ9pRTfPG562rtyCjtTRVk/cxQo7TgCgxlN3 xTV+hzFQrr0TE87KvrzoQDo= =zHsd -----END PGP SIGNATURE-----
|
|
11-25-2004
|
|||
|
|||
|
Re: SSH newbie interested in security concerns
On Wed, 24 Nov 2004 20:42:54 -0500, Marco Benton - BOFH wrote:
> this kind of attack was mentioned in a few early posts. > > as long as you have strong passwords (and your users dont give away > their password) and sshd is configured correctly then you shouldn't > worry too much about it. you'll see MANY more attempts to hack into > your machine in the future, get used to huge logs. > I am the only user at this time, and I think my passwords are generally good. Let me mention that when I started I followed the very simple suggestion I saw online consisting of typing nothing more than 'ssh hostname' and then giving the password. This seemed okay to me at the time, and as far as I know is. But, today I went through with ssh-keygen and a passphrase and am now using that method. I guess I figured that since it was harder to set up it must be better :-) Do you have any thoughts about which is a better way to go? I have seen that there is also hostbased authorization but I was not sure if that was more secure or less than what I am doing now. But, in any case, I couldn't make heads or tails of what to do to get that going anyway. (By my logic it must be really good then, right?) I could never locate any suggestions of how to create an shosts.equiv file, or any of the others mentioned for that matter, and the man page just plain is unhelpful in this case. Any thoughts about the best method of the three, and if the last is better, of where I can find some suggestions on setting it up? > i hope you have a firewall in front of this machine? > Yes, I have one, and as far as I can tell it is operational. I have to admit that the iptables syntax was at least as confusing to me as the ssh setup. I got a firewall from a poster here, Tim Haynes I believe, and he helped me to get it running and also to make some basic changes in my system to make it somewhat more secure. Very helpful and while I have learned quite a bit about much since then, I cannot claim to have ever made any progress with iptables. Hopefully one day... Thanks, cothrige
|
|
11-25-2004
|
|||
|
|||
|
Re: SSH newbie interested in security concerns
cothrige wrote:
> > I have seen that there is also hostbased authorization but I was > not sure if that was more secure or less than what I am doing now. But, > in any case, I couldn't make heads or tails of what to do to get that > going anyway. (By my logic it must be really good then, right?) I could > never locate any suggestions of how to create an shosts.equiv file, or any > of the others mentioned for that matter, and the man page just plain is > unhelpful in this case. Any thoughts about the best method of the three, > and if the last is better, of where I can find some suggestions on setting > it up? > Don't know about Slackware but a lot of distro's now link network service daemons with the tcp wrappers lib, configured by /etc/hosts.all and /etc/hosts.deny - see man 5 hosts_access. Of course, most of the restrictions can be implemented via iptables. If feasible I'd definitely recommend anyone securing a machine to restrict access based on remote ip. It's not a solution in itself but it cuts down on a lot of noise. Also, openssh allows you to only allow users in specific groups to login via ssh - again, if feasible I'd recommend using this. Oh, and one more thing - don't get so excited everytime you see something dodgy in your logs - after all, it probably got logged 'cos the bad guy failed to achieve her objective. HTH C.
|
|
11-25-2004
|
|||
|
|||
|
Re: SSH newbie interested in security concerns
On Thu, 25 Nov 2004 13:32:13 +0000, Colin McKinnon wrote:
> Don't know about Slackware but a lot of distro's now link network service > daemons with the tcp wrappers lib, configured by /etc/hosts.all and > /etc/hosts.deny - see man 5 hosts_access. Of course, most of the > restrictions can be implemented via iptables. I put ALL: ALL in hosts.deny and then then used the hosts.allow to allow my other machine to connect. It seemed to work as I could not connect before changing hosts.allow; I checked it first to see if it did anything in this instance. I didn't really know if ssh was using these files. > > If feasible I'd definitely recommend anyone securing a machine to restrict > access based on remote ip. It's not a solution in itself but it cuts down > on a lot of noise. Were you thinking of something other than hosts.deny or allow? If so I don't really know what you may mean. > Also, openssh allows you to only allow users in specific groups to login via > ssh - again, if feasible I'd recommend using this. By groups I assume you mean like users, adm etc. How would I do that? I don't recall seeing that in the man page or such, though I have read so many documents now that I think I am getting a bit goofy from it. And I did find a line in the configs where I could prevent root logins, which I certainly used. Sounded like a great idea to me at the time. > Oh, and one more thing - don't get so excited everytime you see > something dodgy in your logs - after all, it probably got logged 'cos > the bad guy failed to achieve her objective. I actually was pretty certain that these attempts were not successful because of all the failures they report. But, it did make me a bit nervous since I was running ssh out of the box with no configuration at all and I had no real knowledge regarding the risks and such so that I could really know what was being told in the logs. I just assumed that there were risks I was not aware of and that I could tighten things up a bit. I do think that I have improved things somewhat so far though I find it all a little confusing still and cannot be sure that I have done enough to feel in any way comfortable. > HTH > > C. Many thanks for the advice. cothrige
|
|
11-26-2004
|
|||
|
|||
|
Re: SSH newbie interested in security concerns
On 2004-11-24, cothrige <cothrige@bellsouth.net> wrote:
> Here is what my /var/log/messages has been spitting out: > > Nov 21 21:07:53 celephais sshd[9543]: Did not receive identification string from 202.164.35.46 > Nov 21 21:18:18 celephais sshd[9545]: Failed password for nobody from 202.164.35.46 port 40845 ssh2 > Nov 21 21:18:22 celephais sshd[9547]: Illegal user patrick from 202.164.35.46 > Nov 21 21:18:22 celephais sshd[9547]: Failed password for illegal user patrick from 202.164.35.46 port 41269 ssh2 > Nov 21 21:18:27 celephais sshd[9549]: Illegal user patrick from 202.164.35.46 > Nov 21 21:18:27 celephais sshd[9549]: Failed password for illegal user patrick from 202.164.35.46 port 41704 ssh2 > Nov 21 21:18:31 celephais sshd[9551]: Failed password for root from 202.164.35.46 port 42136 ssh2 > Nov 21 21:18:35 celephais sshd[9553]: Failed password for root from 202.164.35.46 port 42602 ssh2 > Nov 21 21:18:39 celephais sshd[9555]: Failed password for root from 202.164.35.46 port 43032 ssh2 > Nov 21 21:18:44 celephais sshd[9557]: Failed password for root from 202.164.35.46 port 43466 ssh2 > Nov 21 21:18:48 celephais sshd[9559]: Failed password for root from 202.164.35.46 port 43899 ssh2 > Nov 21 21:18:52 celephais sshd[9561]: Illegal user rolo from 202.164.35.46 > Nov 21 21:18:52 celephais sshd[9561]: Failed password for illegal user rolo from 202.164.35.46 port 43951 ssh2 > Nov 21 21:18:57 celephais sshd[9563]: Illegal user iceuser from 202.164.35.46 > Nov 21 21:18:57 celephais sshd[9563]: Failed password for illegal user iceuser from 202.164.35.46 port 44517 ssh2 > Nov 21 21:19:01 celephais sshd[9565]: Illegal user horde from 202.164.35.46 > Nov 21 21:19:01 celephais sshd[9565]: Failed password for illegal user horde from 202.164.35.46 port 44965 ssh2 > Nov 21 21:19:05 celephais sshd[9567]: Illegal user cyrus from 202.164.35.46 > Nov 21 21:19:05 celephais sshd[9567]: Failed password for illegal user cyrus from 202.164.35.46 port 45393 ssh2 > Nov 21 21:19:09 celephais sshd[9569]: Illegal user www from 202.164.35.46 > Nov 21 21:19:09 celephais sshd[9569]: Failed password for illegal user www from 202.164.35.46 port 45870 ssh2 > Nov 21 21:19:14 celephais sshd[9571]: Illegal user wwwrun from 202.164.35.46 > Nov 21 21:19:14 celephais sshd[9571]: Failed password for illegal user wwwrun from 202.164.35.46 port 46297 ssh2 > Nov 21 21:19:18 celephais sshd[9573]: Illegal user matt from 202.164.35.46 > Nov 21 21:19:18 celephais sshd[9573]: Failed password for illegal user matt from 202.164.35.46 port 46714 ssh2 > Nov 21 21:19:22 celephais sshd[9575]: Illegal user test from 202.164.35.46 > Nov 21 21:19:22 celephais sshd[9575]: Failed password for illegal user test from 202.164.35.46 port 46896 ssh2 > Nov 21 21:19:27 celephais sshd[9577]: Illegal user test from 202.164.35.46 > Nov 21 21:19:27 celephais sshd[9577]: Failed password for illegal user test from 202.164.35.46 port 47392 ssh2 > Nov 21 21:19:31 celephais sshd[9579]: Illegal user test from 202.164.35.46 > Nov 21 21:19:31 celephais sshd[9579]: Failed password for illegal user test from 202.164.35.46 port 47885 ssh2 > Nov 21 21:19:36 celephais sshd[9581]: Illegal user test from 202.164.35.46 > Nov 21 21:19:36 celephais sshd[9581]: Failed password for illegal user test from 202.164.35.46 port 48302 ssh2 > Nov 21 21:19:40 celephais sshd[9583]: Illegal user www-data from 202.164.35.46 > Nov 21 21:19:40 celephais sshd[9583]: Failed password for illegal user www-data from 202.164.35.46 port 48768 ssh2 > > and so on. This certainly seems to indicate a repetitive attempt to > intrude into my system using sshd. How concerned should I be, and what > can I do to help ensure failures on their part? I have tried numerous > websearches but cannot seem to nail down any real info directly relating > to these data. This is a fairly common scripted attack against ssh. As long as you've restricted root access in sshd_config with "PermitRootLogin no" and use the "AllowUsers" directive to specify usernames permitted to use the ssh service you should be pretty safe. -- -John (john@os2.dhs.org)
|
|
11-26-2004
|
|||
|
|||
|
Re: SSH newbie interested in security concerns
>> and so on. This certainly seems to indicate a repetitive attempt to >> intrude into my system using sshd. How concerned should I be, and what >> can I do to help ensure failures on their part? I have tried numerous >> websearches but cannot seem to nail down any real info directly relating >> to these data. > > This is a fairly common scripted attack against ssh. As long as you've > restricted root access in sshd_config with "PermitRootLogin no" and use > the "AllowUsers" directive to specify usernames permitted to use the ssh > service you should be pretty safe. If you don't like your logs getting filled up you could always run sshd on another port (just edit your config file). You have been attacked by a scriptkiddie with a program called brutessh2 (or similar -there are others)
|
|
11-26-2004
|
|||
|
|||
|
Re: SSH newbie interested in security concerns
In message <pan.2004.11.25.16.18.49.866991@bellsouth.net>, cothrige
<cothrige@bellsouth.net> writes >On Thu, 25 Nov 2004 13:32:13 +0000, Colin McKinnon wrote: > >> Don't know about Slackware but a lot of distro's now link network service >> daemons with the tcp wrappers lib, configured by /etc/hosts.all and >> /etc/hosts.deny - see man 5 hosts_access. Of course, most of the >> restrictions can be implemented via iptables. > >I put ALL: ALL in hosts.deny and then then used the hosts.allow to allow >my other machine to connect. It seemed to work as I could not connect >before changing hosts.allow; I checked it first to see if it did anything >in this instance. I didn't really know if ssh was using these files. > >> >> If feasible I'd definitely recommend anyone securing a machine to restrict >> access based on remote ip. It's not a solution in itself but it cuts down >> on a lot of noise. > >Were you thinking of something other than hosts.deny or allow? If so I >don't really know what you may mean. > Iptables is the first line of defence. You can allow individual IPs or a range to access any port, or indeed, do quite a lot more. There's a fair bit to learn. The firewall is built into the kernel, and the iptables program is used to set up rules. Try iptables -L to see what the current rules say. >> Also, openssh allows you to only allow users in specific groups to login via >> ssh - again, if feasible I'd recommend using this. > >By groups I assume you mean like users, adm etc. How would I do that? I >don't recall seeing that in the man page or such, though I have read so >many documents now that I think I am getting a bit goofy from it. And I >did find a line in the configs where I could prevent root logins, which I >certainly used. Sounded like a great idea to me at the time. Man sshd_config, AllowGroups, AllowUsers. They're not used in the default sshd_config file, which otherwise is very useful in terms of explanation. Man pages are more of a memory jogger than a tutorial, and can be a little concise. > >> Oh, and one more thing - don't get so excited everytime you see >> something dodgy in your logs - after all, it probably got logged 'cos >> the bad guy failed to achieve her objective. > >I actually was pretty certain that these attempts were not successful >because of all the failures they report. But, it did make me a bit >nervous since I was running ssh out of the box with no configuration at >all and I had no real knowledge regarding the risks and such so that I >could really know what was being told in the logs. I just assumed that >there were risks I was not aware of and that I could tighten things up a >bit. I do think that I have improved things somewhat so far though I find >it all a little confusing still and cannot be sure that I have done enough >to feel in any way comfortable. > Though disparaged, http://grc.com is a quick and fairly useful guide to the state of your ports. Don't pay too much attention to the 'stealth' thing that's emphasised. You just don't want 'open'. A more powerful test is nmap, which can run a wide variety of connection attempts, but is only useful if you can run it from another Internet machine, or you can simulate that using another computer or two with separate subnets. This is the program the human crackers will use, though it can also be scripted. -- Joe
|
|
11-30-2004
|
|||
|
|||
|
Re: SSH newbie interested in security concerns
On a slightly different point, is it possible to only allow the root login
from a specified MAC address? As i want to be able to use root from my windows box as my Fedora box does not have a monitor attached all the time. Thanks "cothrige" <cothrige@bellsouth.net> wrote in message news:pan.2004.11.24.19.56.27.343164@bellsouth.net. .. > I am using Slackware 9.1 and recently decided to try out some basic > ethernet usage. I connected another machine with the same OS via a > crossover cable and by using some straightforward online tutorials got NFS > up and running. I can ping both ways and mount the drives. I then tried > out ssh to see if I could do some basic stuff in that way. Things looked > fine and everything is working as I thought it would, again using some > very basic online help type pages. > > The next step in my learning process was IP masquerading and trying to use > the client to dial on the server. I use a dial-up with dynamic IP > addresses btw. It worked just fine, much to my surprise to be honest. ;-) > In my testing and such I kept an eye on the logs and found something which > made me wonder if I am really doing anywhere near enough in regards to > security now that I am using such new services. > > Here is what my /var/log/messages has been spitting out: > > Nov 21 21:07:53 celephais sshd[9543]: Did not receive identification string from 202.164.35.46 > Nov 21 21:18:18 celephais sshd[9545]: Failed password for nobody from 202.164.35.46 port 40845 ssh2 > Nov 21 21:18:22 celephais sshd[9547]: Illegal user patrick from 202.164.35.46 > Nov 21 21:18:22 celephais sshd[9547]: Failed password for illegal user patrick from 202.164.35.46 port 41269 ssh2 > Nov 21 21:18:27 celephais sshd[9549]: Illegal user patrick from 202.164.35.46 > Nov 21 21:18:27 celephais sshd[9549]: Failed password for illegal user patrick from 202.164.35.46 port 41704 ssh2 > Nov 21 21:18:31 celephais sshd[9551]: Failed password for root from 202.164.35.46 port 42136 ssh2 > Nov 21 21:18:35 celephais sshd[9553]: Failed password for root from 202.164.35.46 port 42602 ssh2 > Nov 21 21:18:39 celephais sshd[9555]: Failed password for root from 202.164.35.46 port 43032 ssh2 > Nov 21 21:18:44 celephais sshd[9557]: Failed password for root from 202.164.35.46 port 43466 ssh2 > Nov 21 21:18:48 celephais sshd[9559]: Failed password for root from 202.164.35.46 port 43899 ssh2 > Nov 21 21:18:52 celephais sshd[9561]: Illegal user rolo from 202.164.35.46 > Nov 21 21:18:52 celephais sshd[9561]: Failed password for illegal user rolo from 202.164.35.46 port 43951 ssh2 > Nov 21 21:18:57 celephais sshd[9563]: Illegal user iceuser from 202.164.35.46 > Nov 21 21:18:57 celephais sshd[9563]: Failed password for illegal user iceuser from 202.164.35.46 port 44517 ssh2 > Nov 21 21:19:01 celephais sshd[9565]: Illegal user horde from 202.164.35.46 > Nov 21 21:19:01 celephais sshd[9565]: Failed password for illegal user horde from 202.164.35.46 port 44965 ssh2 > Nov 21 21:19:05 celephais sshd[9567]: Illegal user cyrus from 202.164.35.46 > Nov 21 21:19:05 celephais sshd[9567]: Failed password for illegal user cyrus from 202.164.35.46 port 45393 ssh2 > Nov 21 21:19:09 celephais sshd[9569]: Illegal user www from 202.164.35.46 > Nov 21 21:19:09 celephais sshd[9569]: Failed password for illegal user www from 202.164.35.46 port 45870 ssh2 > Nov 21 21:19:14 celephais sshd[9571]: Illegal user wwwrun from 202.164.35.46 > Nov 21 21:19:14 celephais sshd[9571]: Failed password for illegal user wwwrun from 202.164.35.46 port 46297 ssh2 > Nov 21 21:19:18 celephais sshd[9573]: Illegal user matt from 202.164.35.46 > Nov 21 21:19:18 celephais sshd[9573]: Failed password for illegal user matt from 202.164.35.46 port 46714 ssh2 > Nov 21 21:19:22 celephais sshd[9575]: Illegal user test from 202.164.35.46 > Nov 21 21:19:22 celephais sshd[9575]: Failed password for illegal user test from 202.164.35.46 port 46896 ssh2 > Nov 21 21:19:27 celephais sshd[9577]: Illegal user test from 202.164.35.46 > Nov 21 21:19:27 celephais sshd[9577]: Failed password for illegal user test from 202.164.35.46 port 47392 ssh2 > Nov 21 21:19:31 celephais sshd[9579]: Illegal user test from 202.164.35.46 > Nov 21 21:19:31 celephais sshd[9579]: Failed password for illegal user test from 202.164.35.46 port 47885 ssh2 > Nov 21 21:19:36 celephais sshd[9581]: Illegal user test from 202.164.35.46 > Nov 21 21:19:36 celephais sshd[9581]: Failed password for illegal user test from 202.164.35.46 port 48302 ssh2 > Nov 21 21:19:40 celephais sshd[9583]: Illegal user www-data from 202.164.35.46 > Nov 21 21:19:40 celephais sshd[9583]: Failed password for illegal user www-data from 202.164.35.46 port 48768 ssh2 > > and so on. This certainly seems to indicate a repetitive attempt to > intrude into my system using sshd. How concerned should I be, and what > can I do to help ensure failures on their part? I have tried numerous > websearches but cannot seem to nail down any real info directly relating > to these data. > > Thanks in advance, > > cothrige
|
|
01-13-2005
|
|||
|
|||
|
Re: SSH newbie interested in security concerns
On Wed, 24 Nov 2004 13:56:33 -0600, cothrige wrote:
I have the same problem so I've been working on a little script to solve it. The script is pretty mush already done and seems to work. The script blocks the probing IP's in an iptable rule. If you or anyone else is intrested in it I can post it here and on my webbsite... //Jack-Benny > I am using Slackware 9.1 and recently decided to try out some basic > ethernet usage. I connected another machine with the same OS via a > crossover cable and by using some straightforward online tutorials got NFS > up and running. I can ping both ways and mount the drives. I then tried > out ssh to see if I could do some basic stuff in that way. Things looked > fine and everything is working as I thought it would, again using some > very basic online help type pages. > > The next step in my learning process was IP masquerading and trying to use > the client to dial on the server. I use a dial-up with dynamic IP > addresses btw. It worked just fine, much to my surprise to be honest. ;-) > In my testing and such I kept an eye on the logs and found something which > made me wonder if I am really doing anywhere near enough in regards to > security now that I am using such new services. > > Here is what my /var/log/messages has been spitting out: > > Nov 21 21:07:53 celephais sshd[9543]: Did not receive identification string from 202.164.35.46 > Nov 21 21:18:18 celephais sshd[9545]: Failed password for nobody from 202.164.35.46 port 40845 ssh2 > Nov 21 21:18:22 celephais sshd[9547]: Illegal user patrick from 202.164.35.46 > Nov 21 21:18:22 celephais sshd[9547]: Failed password for illegal user patrick from 202.164.35.46 port 41269 ssh2 > Nov 21 21:18:27 celephais sshd[9549]: Illegal user patrick from 202.164.35.46 > Nov 21 21:18:27 celephais sshd[9549]: Failed password for illegal user patrick from 202.164.35.46 port 41704 ssh2 > Nov 21 21:18:31 celephais sshd[9551]: Failed password for root from 202.164.35.46 port 42136 ssh2 > Nov 21 21:18:35 celephais sshd[9553]: Failed password for root from 202.164.35.46 port 42602 ssh2 > Nov 21 21:18:39 celephais sshd[9555]: Failed password for root from 202.164.35.46 port 43032 ssh2 > Nov 21 21:18:44 celephais sshd[9557]: Failed password for root from 202.164.35.46 port 43466 ssh2 > Nov 21 21:18:48 celephais sshd[9559]: Failed password for root from 202.164.35.46 port 43899 ssh2 > Nov 21 21:18:52 celephais sshd[9561]: Illegal user rolo from 202.164.35.46 > Nov 21 21:18:52 celephais sshd[9561]: Failed password for illegal user rolo from 202.164.35.46 port 43951 ssh2 > Nov 21 21:18:57 celephais sshd[9563]: Illegal user iceuser from 202.164.35.46 > Nov 21 21:18:57 celephais sshd[9563]: Failed password for illegal user iceuser from 202.164.35.46 port 44517 ssh2 > Nov 21 21:19:01 celephais sshd[9565]: Illegal user horde from 202.164.35.46 > Nov 21 21:19:01 celephais sshd[9565]: Failed password for illegal user horde from 202.164.35.46 port 44965 ssh2 > Nov 21 21:19:05 celephais sshd[9567]: Illegal user cyrus from 202.164.35.46 > Nov 21 21:19:05 celephais sshd[9567]: Failed password for illegal user cyrus from 202.164.35.46 port 45393 ssh2 > Nov 21 21:19:09 celephais sshd[9569]: Illegal user www from 202.164.35.46 > Nov 21 21:19:09 celephais sshd[9569]: Failed password for illegal user www from 202.164.35.46 port 45870 ssh2 > Nov 21 21:19:14 celephais sshd[9571]: Illegal user wwwrun from 202.164.35.46 > Nov 21 21:19:14 celephais sshd[9571]: Failed password for illegal user wwwrun from 202.164.35.46 port 46297 ssh2 > Nov 21 21:19:18 celephais sshd[9573]: Illegal user matt from 202.164.35.46 > Nov 21 21:19:18 celephais sshd[9573]: Failed password for illegal user matt from 202.164.35.46 port 46714 ssh2 > Nov 21 21:19:22 celephais sshd[9575]: Illegal user test from 202.164.35.46 > Nov 21 21:19:22 celephais sshd[9575]: Failed password for illegal user test from 202.164.35.46 port 46896 ssh2 > Nov 21 21:19:27 celephais sshd[9577]: Illegal user test from 202.164.35.46 > Nov 21 21:19:27 celephais sshd[9577]: Failed password for illegal user test from 202.164.35.46 port 47392 ssh2 > Nov 21 21:19:31 celephais sshd[9579]: Illegal user test from 202.164.35.46 > Nov 21 21:19:31 celephais sshd[9579]: Failed password for illegal user test from 202.164.35.46 port 47885 ssh2 > Nov 21 21:19:36 celephais sshd[9581]: Illegal user test from 202.164.35.46 > Nov 21 21:19:36 celephais sshd[9581]: Failed password for illegal user test from 202.164.35.46 port 48302 ssh2 > Nov 21 21:19:40 celephais sshd[9583]: Illegal user www-data from 202.164.35.46 > Nov 21 21:19:40 celephais sshd[9583]: Failed password for illegal user www-data from 202.164.35.46 port 48768 ssh2 > > and so on. This certainly seems to indicate a repetitive attempt to > intrude into my system using sshd. How concerned should I be, and what > can I do to help ensure failures on their part? I have tried numerous > websearches but cannot seem to nail down any real info directly relating > to these data. > > Thanks in advance, > > cothrige
|
Linear Mode
