Re: SSH newbie interested in security concerns

From: Jake (j0han_at_hotpop.com)
Date: 01/13/05

  • Next message: Mike Stewart: "Re: SSH newbie interested in security concerns" 
    Date: Thu, 13 Jan 2005 10:20:44 GMT

    On Wed, 24 Nov 2004 13:56:33 -0600, cothrige wrote:

    I have the same problem so I've been working on a little script to solve
    it. The script is pretty mush already done and seems to work.
    The script blocks the probing IP's in an iptable rule.
    If you or anyone else is intrested in it I can post it here and on my
    webbsite...

    //Jack-Benny

    > I am using Slackware 9.1 and recently decided to try out some basic
    > ethernet usage. I connected another machine with the same OS via a
    > crossover cable and by using some straightforward online tutorials got NFS
    > up and running. I can ping both ways and mount the drives. I then tried
    > out ssh to see if I could do some basic stuff in that way. Things looked
    > fine and everything is working as I thought it would, again using some
    > very basic online help type pages.
    >
    > The next step in my learning process was IP masquerading and trying to use
    > the client to dial on the server. I use a dial-up with dynamic IP
    > addresses btw. It worked just fine, much to my surprise to be honest. ;-)
    > In my testing and such I kept an eye on the logs and found something which
    > made me wonder if I am really doing anywhere near enough in regards to
    > security now that I am using such new services.
    >
    > Here is what my /var/log/messages has been spitting out:
    >
    > Nov 21 21:07:53 celephais sshd[9543]: Did not receive identification string from 202.164.35.46
    > Nov 21 21:18:18 celephais sshd[9545]: Failed password for nobody from 202.164.35.46 port 40845 ssh2
    > Nov 21 21:18:22 celephais sshd[9547]: Illegal user patrick from 202.164.35.46
    > Nov 21 21:18:22 celephais sshd[9547]: Failed password for illegal user patrick from 202.164.35.46 port 41269 ssh2
    > Nov 21 21:18:27 celephais sshd[9549]: Illegal user patrick from 202.164.35.46
    > Nov 21 21:18:27 celephais sshd[9549]: Failed password for illegal user patrick from 202.164.35.46 port 41704 ssh2
    > Nov 21 21:18:31 celephais sshd[9551]: Failed password for root from 202.164.35.46 port 42136 ssh2
    > Nov 21 21:18:35 celephais sshd[9553]: Failed password for root from 202.164.35.46 port 42602 ssh2
    > Nov 21 21:18:39 celephais sshd[9555]: Failed password for root from 202.164.35.46 port 43032 ssh2
    > Nov 21 21:18:44 celephais sshd[9557]: Failed password for root from 202.164.35.46 port 43466 ssh2
    > Nov 21 21:18:48 celephais sshd[9559]: Failed password for root from 202.164.35.46 port 43899 ssh2
    > Nov 21 21:18:52 celephais sshd[9561]: Illegal user rolo from 202.164.35.46
    > Nov 21 21:18:52 celephais sshd[9561]: Failed password for illegal user rolo from 202.164.35.46 port 43951 ssh2
    > Nov 21 21:18:57 celephais sshd[9563]: Illegal user iceuser from 202.164.35.46
    > Nov 21 21:18:57 celephais sshd[9563]: Failed password for illegal user iceuser from 202.164.35.46 port 44517 ssh2
    > Nov 21 21:19:01 celephais sshd[9565]: Illegal user horde from 202.164.35.46
    > Nov 21 21:19:01 celephais sshd[9565]: Failed password for illegal user horde from 202.164.35.46 port 44965 ssh2
    > Nov 21 21:19:05 celephais sshd[9567]: Illegal user cyrus from 202.164.35.46
    > Nov 21 21:19:05 celephais sshd[9567]: Failed password for illegal user cyrus from 202.164.35.46 port 45393 ssh2
    > Nov 21 21:19:09 celephais sshd[9569]: Illegal user www from 202.164.35.46
    > Nov 21 21:19:09 celephais sshd[9569]: Failed password for illegal user www from 202.164.35.46 port 45870 ssh2
    > Nov 21 21:19:14 celephais sshd[9571]: Illegal user wwwrun from 202.164.35.46
    > Nov 21 21:19:14 celephais sshd[9571]: Failed password for illegal user wwwrun from 202.164.35.46 port 46297 ssh2
    > Nov 21 21:19:18 celephais sshd[9573]: Illegal user matt from 202.164.35.46
    > Nov 21 21:19:18 celephais sshd[9573]: Failed password for illegal user matt from 202.164.35.46 port 46714 ssh2
    > Nov 21 21:19:22 celephais sshd[9575]: Illegal user test from 202.164.35.46
    > Nov 21 21:19:22 celephais sshd[9575]: Failed password for illegal user test from 202.164.35.46 port 46896 ssh2
    > Nov 21 21:19:27 celephais sshd[9577]: Illegal user test from 202.164.35.46
    > Nov 21 21:19:27 celephais sshd[9577]: Failed password for illegal user test from 202.164.35.46 port 47392 ssh2
    > Nov 21 21:19:31 celephais sshd[9579]: Illegal user test from 202.164.35.46
    > Nov 21 21:19:31 celephais sshd[9579]: Failed password for illegal user test from 202.164.35.46 port 47885 ssh2
    > Nov 21 21:19:36 celephais sshd[9581]: Illegal user test from 202.164.35.46
    > Nov 21 21:19:36 celephais sshd[9581]: Failed password for illegal user test from 202.164.35.46 port 48302 ssh2
    > Nov 21 21:19:40 celephais sshd[9583]: Illegal user www-data from 202.164.35.46
    > Nov 21 21:19:40 celephais sshd[9583]: Failed password for illegal user www-data from 202.164.35.46 port 48768 ssh2
    >
    > and so on. This certainly seems to indicate a repetitive attempt to
    > intrude into my system using sshd. How concerned should I be, and what
    > can I do to help ensure failures on their part? I have tried numerous
    > websearches but cannot seem to nail down any real info directly relating
    > to these data.
    >
    > Thanks in advance,
    >
    > cothrige

  • Next message: Mike Stewart: "Re: SSH newbie interested in security concerns"