Re: SSH newbie interested in security concerns

From: Mike Stewart (michaelNo.J.SpamStewart_at_baesystesm.com)
Date: 01/13/05 

Date: Thu, 13 Jan 2005 10:51:25 -0000

i would be interest in that cheers. would be very usefull to automatically
block the ssh kidy scripts
"Jake" <j0han@hotpop.com> wrote in message
news:pan.2005.01.13.10.20.44.890868@hotpop.com...
> On Wed, 24 Nov 2004 13:56:33 -0600, cothrige wrote:
>
> I have the same problem so I've been working on a little script to solve
> it. The script is pretty mush already done and seems to work.
> The script blocks the probing IP's in an iptable rule.
> If you or anyone else is intrested in it I can post it here and on my
> webbsite...
>
> //Jack-Benny
>
>
> > I am using Slackware 9.1 and recently decided to try out some basic
> > ethernet usage. I connected another machine with the same OS via a
> > crossover cable and by using some straightforward online tutorials got
NFS
> > up and running. I can ping both ways and mount the drives. I then
tried
> > out ssh to see if I could do some basic stuff in that way. Things
looked
> > fine and everything is working as I thought it would, again using some
> > very basic online help type pages.
> >
> > The next step in my learning process was IP masquerading and trying to
use
> > the client to dial on the server. I use a dial-up with dynamic IP
> > addresses btw. It worked just fine, much to my surprise to be honest.
;-)
> > In my testing and such I kept an eye on the logs and found something
which
> > made me wonder if I am really doing anywhere near enough in regards to
> > security now that I am using such new services.
> >
> > Here is what my /var/log/messages has been spitting out:
> >
> > Nov 21 21:07:53 celephais sshd[9543]: Did not receive identification
string from 202.164.35.46
> > Nov 21 21:18:18 celephais sshd[9545]: Failed password for nobody from
202.164.35.46 port 40845 ssh2
> > Nov 21 21:18:22 celephais sshd[9547]: Illegal user patrick from
202.164.35.46
> > Nov 21 21:18:22 celephais sshd[9547]: Failed password for illegal user
patrick from 202.164.35.46 port 41269 ssh2
> > Nov 21 21:18:27 celephais sshd[9549]: Illegal user patrick from
202.164.35.46
> > Nov 21 21:18:27 celephais sshd[9549]: Failed password for illegal user
patrick from 202.164.35.46 port 41704 ssh2
> > Nov 21 21:18:31 celephais sshd[9551]: Failed password for root from
202.164.35.46 port 42136 ssh2
> > Nov 21 21:18:35 celephais sshd[9553]: Failed password for root from
202.164.35.46 port 42602 ssh2
> > Nov 21 21:18:39 celephais sshd[9555]: Failed password for root from
202.164.35.46 port 43032 ssh2
> > Nov 21 21:18:44 celephais sshd[9557]: Failed password for root from
202.164.35.46 port 43466 ssh2
> > Nov 21 21:18:48 celephais sshd[9559]: Failed password for root from
202.164.35.46 port 43899 ssh2
> > Nov 21 21:18:52 celephais sshd[9561]: Illegal user rolo from
202.164.35.46
> > Nov 21 21:18:52 celephais sshd[9561]: Failed password for illegal user
rolo from 202.164.35.46 port 43951 ssh2
> > Nov 21 21:18:57 celephais sshd[9563]: Illegal user iceuser from
202.164.35.46
> > Nov 21 21:18:57 celephais sshd[9563]: Failed password for illegal user
iceuser from 202.164.35.46 port 44517 ssh2
> > Nov 21 21:19:01 celephais sshd[9565]: Illegal user horde from
202.164.35.46
> > Nov 21 21:19:01 celephais sshd[9565]: Failed password for illegal user
horde from 202.164.35.46 port 44965 ssh2
> > Nov 21 21:19:05 celephais sshd[9567]: Illegal user cyrus from
202.164.35.46
> > Nov 21 21:19:05 celephais sshd[9567]: Failed password for illegal user
cyrus from 202.164.35.46 port 45393 ssh2
> > Nov 21 21:19:09 celephais sshd[9569]: Illegal user www from
202.164.35.46
> > Nov 21 21:19:09 celephais sshd[9569]: Failed password for illegal user
www from 202.164.35.46 port 45870 ssh2
> > Nov 21 21:19:14 celephais sshd[9571]: Illegal user wwwrun from
202.164.35.46
> > Nov 21 21:19:14 celephais sshd[9571]: Failed password for illegal user
wwwrun from 202.164.35.46 port 46297 ssh2
> > Nov 21 21:19:18 celephais sshd[9573]: Illegal user matt from
202.164.35.46
> > Nov 21 21:19:18 celephais sshd[9573]: Failed password for illegal user
matt from 202.164.35.46 port 46714 ssh2
> > Nov 21 21:19:22 celephais sshd[9575]: Illegal user test from
202.164.35.46
> > Nov 21 21:19:22 celephais sshd[9575]: Failed password for illegal user
test from 202.164.35.46 port 46896 ssh2
> > Nov 21 21:19:27 celephais sshd[9577]: Illegal user test from
202.164.35.46
> > Nov 21 21:19:27 celephais sshd[9577]: Failed password for illegal user
test from 202.164.35.46 port 47392 ssh2
> > Nov 21 21:19:31 celephais sshd[9579]: Illegal user test from
202.164.35.46
> > Nov 21 21:19:31 celephais sshd[9579]: Failed password for illegal user
test from 202.164.35.46 port 47885 ssh2
> > Nov 21 21:19:36 celephais sshd[9581]: Illegal user test from
202.164.35.46
> > Nov 21 21:19:36 celephais sshd[9581]: Failed password for illegal user
test from 202.164.35.46 port 48302 ssh2
> > Nov 21 21:19:40 celephais sshd[9583]: Illegal user www-data from
202.164.35.46
> > Nov 21 21:19:40 celephais sshd[9583]: Failed password for illegal user
www-data from 202.164.35.46 port 48768 ssh2
> >
> > and so on. This certainly seems to indicate a repetitive attempt to
> > intrude into my system using sshd. How concerned should I be, and what
> > can I do to help ensure failures on their part? I have tried numerous
> > websearches but cannot seem to nail down any real info directly relating
> > to these data.
> >
> > Thanks in advance,
> >
> > cothrige
>

Relevant Pages