SSH fun


Forum: Networking
Topic: SSH fun
started by: insertnamehere
Posted by insertnamehere on May 28 2006,14:40
Hello, I am running DSL on my home network as a headless server. It's behind a router with ports 80 and 22 forwarded to it (for ssh and a little webpage). After doing a netstat -a command however it prints this.
Code Sample
root@0[root]# netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 *:bootpc                *:*                     LISTEN
tcp        0      0 *:www                   *:*                     LISTEN
tcp        0      0 *:ssh                   *:*                     LISTEN
tcp        0      0 xbox:6010               *:*                     LISTEN
tcp        0      0 192.168.1.6:ssh         218.249.174.24:46904    TIME_WAIT
tcp        0    284 192.168.1.6:ssh         saranac-motorola-b:2403 ESTABLISHED
tcp        0      0 192.168.1.6:ssh         218.249.174.24:51833    TIME_WAIT
tcp        0      0 192.168.1.6:ssh         218.249.174.24:48337    TIME_WAIT
tcp        0      0 192.168.1.6:ssh         218.249.174.24:44249    TIME_WAIT
tcp        0      0 192.168.1.6:ssh         218.249.174.24:45233    TIME_WAIT
tcp        0      0 192.168.1.6:ssh         218.249.174.24:49962    TIME_WAIT
tcp        0     52 192.168.1.6:ssh         218.249.174.24:52778    ESTABLISHED
tcp        0      0 192.168.1.6:ssh         218.249.174.24:50234    TIME_WAIT
tcp        0      0 192.168.1.6:ssh         218.249.174.24:48618    TIME_WAIT
tcp        0      0 192.168.1.6:ssh         218.249.174.24:45923    TIME_WAIT
tcp        0      0 192.168.1.6:ssh         218.249.174.24:49291    TIME_WAIT
tcp        0      0 192.168.1.6:ssh         218.249.174.24:51171    TIME_WAIT
tcp        0      0 192.168.1.6:ssh         218.249.174.24:43956    TIME_WAIT
tcp        0      0 192.168.1.6:ssh         218.249.174.24:50908    TIME_WAIT
tcp        0      0 192.168.1.6:ssh         218.249.174.24:47653    TIME_WAIT
tcp        0      0 192.168.1.6:ssh         218.249.174.24:44949    TIME_WAIT
tcp        0      0 192.168.1.6:ssh         218.249.174.24:46622    TIME_WAIT
tcp        0      0 192.168.1.6:ssh         218.249.174.24:43262    TIME_WAIT
tcp        0      0 192.168.1.6:ssh         218.249.174.24:52511    TIME_WAIT
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node Path
unix  2      [ ACC ]     STREAM     LISTENING     751      /var/run/pump.sock
unix  3      [ ]         DGRAM                    1266     /dev/log
unix  3      [ ]         STREAM     CONNECTED     35697
unix  3      [ ]         STREAM     CONNECTED     35696
unix  2      [ ]         DGRAM                    1275

That sarnac.motorola connection is me, as I can only ssh into this box. It seems 218.249.174.24 is trying to brute force my ssh pass (which is pretty strong definately won't be hacked by a dictionary attack). Any suggestions for keeping punks like this out?
Posted by skaos on May 28 2006,16:25
You could setup the router not to answer ping requests.
Posted by 300c_pilot on May 29 2006,02:48
If you have a good router you can build access control lists that only allow ssh traffic from your computer/network only.
NEXT Option:
Install iptables on your DSL server and block requests from the ip address's that attack you, I typically use webmin to manage my servers. Makes iptables extremely easy. You can also set them so only your computer will be able to use the ssh port.
NEXT Option:
Other then that make sure your password is more then 12 characters and you do not allow any connection for any user other then yours. ROOT is disabled for a connection. The for sure method is to turn it off.

My servers, when ssh is on, are constantly being attacked. When I block 1 ip, another ip address starts to attack I would bet that I have over 100 blocked right now.

Typical log file of attack, the last time I turned ssh on:

May  2 16:03:06 crd-dwc sshd[2727]: Failed password for invalid user administrator from ::ffff:220.130.96.195 port 37743 ssh2
May  2 16:03:09 crd-dwc sshd[2730]: Invalid user library from ::ffff:220.130.96.195
May  2 16:03:11 crd-dwc sshd[2730]: Failed password for invalid user library from ::ffff:220.130.96.195 port 38612 ssh2
May  2 16:03:14 crd-dwc sshd[2733]: Invalid user test from ::ffff:220.130.96.195
May  2 16:03:16 crd-dwc sshd[2733]: Failed password for invalid user test from ::ffff:220.130.96.195 port 39482 ssh2
May  2 16:44:36 crd-dwc sshd[13809]: Received signal 15; terminating.
May  2 17:10:25 crd-dwc sshd[3844]: Server listening on :: port 22.
May  2 17:10:25 crd-dwc sshd[3844]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
May  2 17:11:40 crd-dwc sshd[3844]: Received signal 15; terminating.
May  2 17:11:40 crd-dwc sshd[3877]: Server listening on :: port 22.
May  2 17:11:40 crd-dwc sshd[3877]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
May  2 17:12:07 crd-dwc sshd[3877]: Received signal 15; terminating.

This automated attack tried to crash ssh to get in.  
Good luck.
Posted by dare2dreamer on May 30 2006,05:18
You might also look at a package called denyhosts, it tracks login attempts and automagically adds them to your hosts.deny if they appear, based on configurable rules, to look fishy.
Posted by insertnamehere on May 30 2006,23:04
Thanks for the help. Someday i'll put in iptables, but right now I'm going to try out denyhosts, seems pretty easy to configure. I have another question though, when I ssh into my box it says, "Starting X." I let it start but nothing happens, i usually just control-c out of it. How can i get this to work?
Posted by 300c_pilot on May 30 2006,23:14
I had never heard of deny hosts. A really cool little tool. :D
Posted by pr0f3550r on May 31 2006,15:16
First of all, put that beast in iptables and relax.

Second, disable root login in sshd and disable password login at all and enable ssh passphrase login. Any brute force would be pointless.
Powered by Ikonboard 3.1.2a
Ikonboard © 2001 Jarvis Entertainment Group, Inc.