Re: SSH newbie interested in security concerns

From: Mike Stewart (michaelNo.J.SpamStewart_at_baesystesm.com)
Date: 11/30/04 

Date: Tue, 30 Nov 2004 09:06:38 -0000

On a slightly different point, is it possible to only allow the root login
from a specified MAC address? As i want to be able to use root from my
windows box as my Fedora box does not have a monitor attached all the time.
Thanks
"cothrige" <cothrige@bellsouth.net> wrote in message
news:pan.2004.11.24.19.56.27.343164@bellsouth.net...
> I am using Slackware 9.1 and recently decided to try out some basic
> ethernet usage. I connected another machine with the same OS via a
> crossover cable and by using some straightforward online tutorials got NFS
> up and running. I can ping both ways and mount the drives. I then tried
> out ssh to see if I could do some basic stuff in that way. Things looked
> fine and everything is working as I thought it would, again using some
> very basic online help type pages.
>
> The next step in my learning process was IP masquerading and trying to use
> the client to dial on the server. I use a dial-up with dynamic IP
> addresses btw. It worked just fine, much to my surprise to be honest. ;-)
> In my testing and such I kept an eye on the logs and found something which
> made me wonder if I am really doing anywhere near enough in regards to
> security now that I am using such new services.
>
> Here is what my /var/log/messages has been spitting out:
>
> Nov 21 21:07:53 celephais sshd[9543]: Did not receive identification
string from 202.164.35.46
> Nov 21 21:18:18 celephais sshd[9545]: Failed password for nobody from
202.164.35.46 port 40845 ssh2
> Nov 21 21:18:22 celephais sshd[9547]: Illegal user patrick from
202.164.35.46
> Nov 21 21:18:22 celephais sshd[9547]: Failed password for illegal user
patrick from 202.164.35.46 port 41269 ssh2
> Nov 21 21:18:27 celephais sshd[9549]: Illegal user patrick from
202.164.35.46
> Nov 21 21:18:27 celephais sshd[9549]: Failed password for illegal user
patrick from 202.164.35.46 port 41704 ssh2
> Nov 21 21:18:31 celephais sshd[9551]: Failed password for root from
202.164.35.46 port 42136 ssh2
> Nov 21 21:18:35 celephais sshd[9553]: Failed password for root from
202.164.35.46 port 42602 ssh2
> Nov 21 21:18:39 celephais sshd[9555]: Failed password for root from
202.164.35.46 port 43032 ssh2
> Nov 21 21:18:44 celephais sshd[9557]: Failed password for root from
202.164.35.46 port 43466 ssh2
> Nov 21 21:18:48 celephais sshd[9559]: Failed password for root from
202.164.35.46 port 43899 ssh2
> Nov 21 21:18:52 celephais sshd[9561]: Illegal user rolo from 202.164.35.46
> Nov 21 21:18:52 celephais sshd[9561]: Failed password for illegal user
rolo from 202.164.35.46 port 43951 ssh2
> Nov 21 21:18:57 celephais sshd[9563]: Illegal user iceuser from
202.164.35.46
> Nov 21 21:18:57 celephais sshd[9563]: Failed password for illegal user
iceuser from 202.164.35.46 port 44517 ssh2
> Nov 21 21:19:01 celephais sshd[9565]: Illegal user horde from
202.164.35.46
> Nov 21 21:19:01 celephais sshd[9565]: Failed password for illegal user
horde from 202.164.35.46 port 44965 ssh2
> Nov 21 21:19:05 celephais sshd[9567]: Illegal user cyrus from
202.164.35.46
> Nov 21 21:19:05 celephais sshd[9567]: Failed password for illegal user
cyrus from 202.164.35.46 port 45393 ssh2
> Nov 21 21:19:09 celephais sshd[9569]: Illegal user www from 202.164.35.46
> Nov 21 21:19:09 celephais sshd[9569]: Failed password for illegal user www
from 202.164.35.46 port 45870 ssh2
> Nov 21 21:19:14 celephais sshd[9571]: Illegal user wwwrun from
202.164.35.46
> Nov 21 21:19:14 celephais sshd[9571]: Failed password for illegal user
wwwrun from 202.164.35.46 port 46297 ssh2
> Nov 21 21:19:18 celephais sshd[9573]: Illegal user matt from 202.164.35.46
> Nov 21 21:19:18 celephais sshd[9573]: Failed password for illegal user
matt from 202.164.35.46 port 46714 ssh2
> Nov 21 21:19:22 celephais sshd[9575]: Illegal user test from 202.164.35.46
> Nov 21 21:19:22 celephais sshd[9575]: Failed password for illegal user
test from 202.164.35.46 port 46896 ssh2
> Nov 21 21:19:27 celephais sshd[9577]: Illegal user test from 202.164.35.46
> Nov 21 21:19:27 celephais sshd[9577]: Failed password for illegal user
test from 202.164.35.46 port 47392 ssh2
> Nov 21 21:19:31 celephais sshd[9579]: Illegal user test from 202.164.35.46
> Nov 21 21:19:31 celephais sshd[9579]: Failed password for illegal user
test from 202.164.35.46 port 47885 ssh2
> Nov 21 21:19:36 celephais sshd[9581]: Illegal user test from 202.164.35.46
> Nov 21 21:19:36 celephais sshd[9581]: Failed password for illegal user
test from 202.164.35.46 port 48302 ssh2
> Nov 21 21:19:40 celephais sshd[9583]: Illegal user www-data from
202.164.35.46
> Nov 21 21:19:40 celephais sshd[9583]: Failed password for illegal user
www-data from 202.164.35.46 port 48768 ssh2
>
> and so on. This certainly seems to indicate a repetitive attempt to
> intrude into my system using sshd. How concerned should I be, and what
> can I do to help ensure failures on their part? I have tried numerous
> websearches but cannot seem to nail down any real info directly relating
> to these data.
>
> Thanks in advance,
>
> cothrige

Relevant Pages

  • Attempt to breakin
    ... port 42989 ssh2 ... Jul 6 21:37:53 findmoore sshd: Failed password for root from ...
    (comp.os.linux.networking)
  • Re: SSH newbie interested in security concerns
    ... block the ssh kidy scripts ... The script is pretty mush already done and seems to work. ... patrick from 202.164.35.46 port 41269 ssh2 ...
    (comp.os.linux.security)
  • Re: OpenSSH and pam_radius_auth.so
    ... ::ffff:10.4.148.59 port 1195 ssh2 ... debug1: PAM: num PAM env strings 0 ...
    (comp.security.ssh)
  • bruteforce not restarting pf?
    ... port 56265 ssh2 ... Nov 7 07:06:58 zeus sshd: Failed password for illegal user miha from ...
    (freebsd-questions)
  • ongoing ssh attacks
    ... I've blocked upwards of 2000 IP addresses so far. ... Any IP that attempts a root login is automatically considered ... root from 125.87.1.243 port 53637 ssh2 ...
    (SunManagers)