Home page logo

basics logo Security Basics mailing list archives

RE: SSH connection attempts in logs.
From: "Dan Denton" <ddenton () remitpro com>
Date: Mon, 1 Oct 2007 10:50:04 -0500

I would suggest the OP look into something like denyhosts or sshdblock.
These programs can block brute force attempts and are pretty customizable,
and can blacklist any machine attempting to connect too many times using
hosts.allow and hosts.deny. Sshdblock is a little easier to configure, but
both are effective.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of jason
Sent: Sunday, September 30, 2007 8:02 PM
To: security-basics () securityfocus com
Subject: Re: SSH connection attempts in logs.

I have encountered similar issues and chances are, if you do not know 
who is trying to connect to you, safer to block first and respond 
later.  If a an 'admin' or a 'staff' member is idiotic enough to screw 
it up more then 3 times, they need a lesson in security and whatnot.  
after a good row, I sincerely doubt they will login erroneously too 
often.  At that point, no harm no foul.  Honestly.  As an administrator 
of an SSH running machine, if you don't recognize an IP or even the 
range that it's coming from, what choice do you have but to block it?  
Even if  you do recognize the range and there are multiple failures?  
See previous response.

Why would you need a secure shell if you didn't care who was connecting 
to your boxen?

What I typically do to circumvent the default for scanners and similar 
ilk is to just change the port that ssh is on or to forward from the 
firewall a specific port.  I have also seen mention of 'knock' style 
programs but have not had the spare time to implement a working 'knock' 
setup.  At that point what do you care (for the most part) is hitting 
port 22?  This just falls under basic security steps though and I am 
guessing is far from new information.

Jason Tarbet
Computer Nerd
Bangor Humane Society

ChromeSilver wrote:
Hash: SHA1

Dan Denton schrieb:
Well, I wouldn't lean toward anything that tries to connect on port 22 as
noise. I would verify that the src IP address isn't some legitimate
to connect by an application that is simply misconfigured. If it's not
legit, block it. In that case it's most likely an attack, or it could be
port scanner. Just my two cents.

xxx.xxx.xxx.xxx = them
yyy.yyy.yyy.yyy = me

c=262144 m=98 msg="Connection Opened" n=187596
src=xxx.xxx.xxx.xxx:32881:X1 dst=yyy.yyy.yyy.yyy:22:X1 proto=tcp/22
c=1024 m=537 msg="Connection Closed" n=139129
src=xxx.xxx.xxx.xxx:32881:X1 dst=yyy.yyy.yyy.yyy:0:X1 proto=tcp/0


that's my guess too. It's some kind of port scanner very likely. Since
it isn't probing weak accounts (like root /w empty pw), so it cant be a
vuln scanner. But I wouldn't suggest blocking that IP, it could be a
dial-up conn. Better do a whois on that IP and then tell the ISP that
you're most likely being scanned from it. Then you could, eg. contact
that person via snailmail and let it know that there's an aware admin


- --
"If light be the brightest light...
Wherfore then doth it shadows cast?"
- -R.Rohonyi
Version: GnuPG v1.4.7 (MingW32)



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]