mailing list archives
RE: SSH connection attempts in logs.
From: "Nick Vaernhoej" <nick.vaernhoej () capitalcardservices com>
Date: Tue, 2 Oct 2007 08:38:11 -0500
Thank you everyone. I am realizing that I didn't ask the right question.
I am not concerned about the connection. The log entry is from the
firewall where this isn't an allowed connection. We do not have any ssh
servers accessible from the outside.
I am curious about the connection closing on tcp/0 and I failed to say
that initiating the connection on tcp/22 was one of a number I could
have chosen. There are a lot of different port numbers being hit where
they close on tcp/0
"Quidquid latine dictum sit, altum sonatur."
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of jason
Sent: Sunday, September 30, 2007 8:02 PM
To: security-basics () securityfocus com
Subject: Re: SSH connection attempts in logs.
I have encountered similar issues and chances are, if you do not know
who is trying to connect to you, safer to block first and respond
later. If a an 'admin' or a 'staff' member is idiotic enough to screw
it up more then 3 times, they need a lesson in security and whatnot.
after a good row, I sincerely doubt they will login erroneously too
often. At that point, no harm no foul. Honestly. As an administrator
of an SSH running machine, if you don't recognize an IP or even the
range that it's coming from, what choice do you have but to block it?
Even if you do recognize the range and there are multiple failures?
See previous response.
Why would you need a secure shell if you didn't care who was connecting
to your boxen?
What I typically do to circumvent the default for scanners and similar
ilk is to just change the port that ssh is on or to forward from the
firewall a specific port. I have also seen mention of 'knock' style
programs but have not had the spare time to implement a working 'knock'
setup. At that point what do you care (for the most part) is hitting
port 22? This just falls under basic security steps though and I am
guessing is far from new information.
Bangor Humane Society
-----BEGIN PGP SIGNED MESSAGE-----
Dan Denton schrieb:
Well, I wouldn't lean toward anything that tries to connect on port
noise. I would verify that the src IP address isn't some legitimate
to connect by an application that is simply misconfigured. If it's
legit, block it. In that case it's most likely an attack, or it could
port scanner. Just my two cents.
xxx.xxx.xxx.xxx = them
yyy.yyy.yyy.yyy = me
c=262144 m=98 msg="Connection Opened" n=187596
src=xxx.xxx.xxx.xxx:32881:X1 dst=yyy.yyy.yyy.yyy:22:X1 proto=tcp/22
c=1024 m=537 msg="Connection Closed" n=139129
src=xxx.xxx.xxx.xxx:32881:X1 dst=yyy.yyy.yyy.yyy:0:X1 proto=tcp/0
that's my guess too. It's some kind of port scanner very likely. Since
it isn't probing weak accounts (like root /w empty pw), so it cant be
vuln scanner. But I wouldn't suggest blocking that IP, it could be a
dial-up conn. Better do a whois on that IP and then tell the ISP that
you're most likely being scanned from it. Then you could, eg. contact
that person via snailmail and let it know that there's an aware admin
"If light be the brightest light...
Wherfore then doth it shadows cast?"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
-----END PGP SIGNATURE-----
This electronic transmission is intended for the addressee (s) named above. It contains information that is privileged,
confidential, or otherwise protected from use and disclosure. If you are not the intended recipient you are hereby
notified that any review, disclosure, copy, or dissemination of this transmission or the taking of any action in
reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please
notify the sender that this message was received in error and then delete this message.