Security Basics mailing list archives

Re: ssh attempts

From: Leif Ericksen <leife () dls net>
Date: Fri, 06 Jan 2006 08:21:13 -0600

Lock down your box a little more...  Enable TCPWrappers in the very
least.  IF they are able to hit your system like that via SSH it is
obvious that you are not blocking.  This is common.  My firewall logs
show and have shown attempts to ssh (This is for a personal system)
they get stopped at the firewall because they are not coming from the
correct IP address(es) Incidentally the ones I see hitting my firewall
cam from China, Korea, and Taiwan for the most part, least wise that is
what the IP indicated as long as it was not spoofed.  

Before I locked down my firewall to IP I would see the rejects because
of Wrappers.

If the system is on the net LOCK IT DOWN.

--
Leif Ericksen 
On Wed, 2006-01-04 at 11:35 +0100, Emilio Casbas wrote:

I´ve noticed that several Linux Machines I have running are getting 
scanned via ssh for
multiple accounts such as "guest webmaster mysql info shell apache 
test..." and many others,
the log show:

Jan  3 01:31:08 machine sshd2[22087]: WARNING: DNS lookup failed for 
"X.X.X.233".
Jan  3 01:31:10 machine sshd2[22087]: password authentication failed. 
Login to account webmaster not allowed or account non-existent.
Jan  3 01:31:13 machine sshd2[21757]: LoginGraceTime exceeded.

as well there are attempts to connect with root login, with the log 
message show as:

WARNING: DNS lookup failed for "X.X.X.233".
Jan  3 01:17:53 machine sshd2[21651]: root login denied for user 'root'.

Obviously, We don´t have accounts with that name on our systems, and the 
root account
is disabled for ssh, but I would like to know which software can do this 
scan type, because
while it's running, the machine proccesses grow too much.

Thanks.
Emilio C.


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------

-- 
Leif Ericksen <leife () dls net>


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------

Current thread:

ssh attempts Emilio Casbas (Jan 04)
- Re: ssh attempts Leif Ericksen (Jan 06)
  - Re: ssh attempts Robert Bauer (Jan 09)
    - Re: ssh attempts Matt Alexander (Jan 23)
    - RE: ssh attempts Martín Biamonte (Jan 30)