iB::Topic::SSH fun

	Damn Small Linux :: Damn Small Linux Board The DSL Forums

» Welcome Guest
[ Log In :: Register ]

Damn Small Linux Board » Damn Small Linux » Networking » SSH fun

		Mini-ITX Boards Sale, Fanless BareBones Mini-ITX, Bootable 1G DSL USBs, 533MHz Fanless PC <-- SALE $200 each!
		Get The Official Damn Small Linux Book. DSL Market , Great VPS hosting provided by Tektonic

Pages: (2) </ [1] 2 >/

[ Track this topic :: Email this topic :: Print this topic ]

Topic: SSH fun

< Next Oldest | Next Newest >

insertnamehere Offline

Group: Members
Posts: 2
Joined: May 2006

Posted: May 28 2006,14:40

Hello, I am running DSL on my home network as a headless server. It's behind a router with ports 80 and 22 forwarded to it (for ssh and a little webpage). After doing a netstat -a command however it prints this.

Code Sample

root@0[root]# netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:bootpc *:* LISTEN
tcp 0 0 *:www *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 xbox:6010 *:* LISTEN
tcp 0 0 192.168.1.6:ssh 218.249.174.24:46904 TIME_WAIT
tcp 0 284 192.168.1.6:ssh saranac-motorola-b:2403 ESTABLISHED
tcp 0 0 192.168.1.6:ssh 218.249.174.24:51833 TIME_WAIT
tcp 0 0 192.168.1.6:ssh 218.249.174.24:48337 TIME_WAIT
tcp 0 0 192.168.1.6:ssh 218.249.174.24:44249 TIME_WAIT
tcp 0 0 192.168.1.6:ssh 218.249.174.24:45233 TIME_WAIT
tcp 0 0 192.168.1.6:ssh 218.249.174.24:49962 TIME_WAIT
tcp 0 52 192.168.1.6:ssh 218.249.174.24:52778 ESTABLISHED
tcp 0 0 192.168.1.6:ssh 218.249.174.24:50234 TIME_WAIT
tcp 0 0 192.168.1.6:ssh 218.249.174.24:48618 TIME_WAIT
tcp 0 0 192.168.1.6:ssh 218.249.174.24:45923 TIME_WAIT
tcp 0 0 192.168.1.6:ssh 218.249.174.24:49291 TIME_WAIT
tcp 0 0 192.168.1.6:ssh 218.249.174.24:51171 TIME_WAIT
tcp 0 0 192.168.1.6:ssh 218.249.174.24:43956 TIME_WAIT
tcp 0 0 192.168.1.6:ssh 218.249.174.24:50908 TIME_WAIT
tcp 0 0 192.168.1.6:ssh 218.249.174.24:47653 TIME_WAIT
tcp 0 0 192.168.1.6:ssh 218.249.174.24:44949 TIME_WAIT
tcp 0 0 192.168.1.6:ssh 218.249.174.24:46622 TIME_WAIT
tcp 0 0 192.168.1.6:ssh 218.249.174.24:43262 TIME_WAIT
tcp 0 0 192.168.1.6:ssh 218.249.174.24:52511 TIME_WAIT
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 751 /var/run/pump.sock
unix 3 [ ] DGRAM 1266 /dev/log
unix 3 [ ] STREAM CONNECTED 35697
unix 3 [ ] STREAM CONNECTED 35696
unix 2 [ ] DGRAM 1275

That sarnac.motorola connection is me, as I can only ssh into this box. It seems 218.249.174.24 is trying to brute force my ssh pass (which is pretty strong definately won't be hacked by a dictionary attack). Any suggestions for keeping punks like this out?

skaos

Group: Members
Posts: 430
Joined: April 2004

Posted: May 28 2006,16:25

You could setup the router not to answer ping requests.

300c_pilot Offline

Group: Members
Posts: 217
Joined: Dec. 2005

Posted: May 29 2006,02:48

If you have a good router you can build access control lists that only allow ssh traffic from your computer/network only.
NEXT Option:
Install iptables on your DSL server and block requests from the ip address's that attack you, I typically use webmin to manage my servers. Makes iptables extremely easy. You can also set them so only your computer will be able to use the ssh port.
NEXT Option:
Other then that make sure your password is more then 12 characters and you do not allow any connection for any user other then yours. ROOT is disabled for a connection. The for sure method is to turn it off.

My servers, when ssh is on, are constantly being attacked. When I block 1 ip, another ip address starts to attack I would bet that I have over 100 blocked right now.

Typical log file of attack, the last time I turned ssh on:

May 2 16:03:06 crd-dwc sshd[2727]: Failed password for invalid user administrator from ::ffff:220.130.96.195 port 37743 ssh2
May 2 16:03:09 crd-dwc sshd[2730]: Invalid user library from ::ffff:220.130.96.195
May 2 16:03:11 crd-dwc sshd[2730]: Failed password for invalid user library from ::ffff:220.130.96.195 port 38612 ssh2
May 2 16:03:14 crd-dwc sshd[2733]: Invalid user test from ::ffff:220.130.96.195
May 2 16:03:16 crd-dwc sshd[2733]: Failed password for invalid user test from ::ffff:220.130.96.195 port 39482 ssh2
May 2 16:44:36 crd-dwc sshd[13809]: Received signal 15; terminating.
May 2 17:10:25 crd-dwc sshd[3844]: Server listening on :: port 22.
May 2 17:10:25 crd-dwc sshd[3844]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
May 2 17:11:40 crd-dwc sshd[3844]: Received signal 15; terminating.
May 2 17:11:40 crd-dwc sshd[3877]: Server listening on :: port 22.
May 2 17:11:40 crd-dwc sshd[3877]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
May 2 17:12:07 crd-dwc sshd[3877]: Received signal 15; terminating.

This automated attack tried to crash ssh to get in.
Good luck.

--------------
300c_Pilot
Boise, Idaho

dare2dreamer Offline

Group: Members
Posts: 113
Joined: Feb. 2005

Posted: May 30 2006,05:18

You might also look at a package called denyhosts, it tracks login attempts and automagically adds them to your hosts.deny if they appear, based on configurable rules, to look fishy.

--------------
----dare2dreamer.

insertnamehere Offline

Group: Members
Posts: 2
Joined: May 2006

Posted: May 30 2006,23:04

Thanks for the help. Someday i'll put in iptables, but right now I'm going to try out denyhosts, seems pretty easy to configure. I have another question though, when I ssh into my box it says, "Starting X." I let it start but nothing happens, i usually just control-c out of it. How can i get this to work?

6 replies since May 28 2006,14:40

< Next Oldest | Next Newest >

[ Track this topic :: Email this topic :: Print this topic ]

Pages: (2) </ [1] 2 >/

Damn Small Linux Board » Damn Small Linux » Networking » SSH fun