Re: unsuccessful hacking attempt at my machine
From: H. S. (g_reate_xcalibur_at_yahoo.com)
Date: Thu, 27 Jan 2005 23:17:19 -0500
Apparently, _/dev/null_, on 27/01/05 18:22,typed:
>>Since I am denying SSH packtes from non-allowed IPs using iptables,
>>iptables should be configured to send the username being tried? Note that
>>ssh hasn't come into the picture here at all yet.
> Iptables doesn't know their user name. Where would it get it from? They
> don't send their user name to iptables, it's sent to sshd. The network
> *packets* does get processed by iptables, but it doesn't open them all up
> and say "oh, this is ssh and here's his user name...". It doesn't examine
> packets at that level. And the first couple of packets that pass back and
> forth are just to set up the tcp connection that ssh will ride on. Those
> packets have absolutely no information in them at all related to ssh, so how
> at this point could iptables even know what user this packet is from even if
> it did examine the contents of ssh channels? And the user name isn't sent
> until after ssh has established it's encryption so even if iptables did open
> the packet it wouldn't have any way of decrypting the contents to extract
> the user name, nor does any system along the connection path.
> So if you want to get user names you'll have to get ssh to log them. And it
> logs them by sending the info over to syslog. And syslog just writes
> whatever ssh sends to it, syslog doesn't tell ssh "log these actions to me,
> but not these", that's configured in the ssh_config file I referenced
Thanks for clarifying all that up. Really appreciate it.
-- Please remove the underscores ( the '_' symbols) from my email address to obtain the correct one. Apologies, but the fudging is to remove spam.