ssh hack attempts

Was there some new ssh port scanner software released recently? We've been getting hammered with " Failed password for illegal user xxxx from xx.xxx.xx.xx port xxxx ssh2". Most of them originate from Korea. Is there a way to hide the login prompt or password protect it? For our buisiness we do need the ssh port open for some remote logins.

Thanks
timothykingAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jlevieCommented:
Are your remote logins from fixed IP's? If they are you could add firewall rules to only accept ssh connections from those known IP's. Otherwise I'd say to just make sure that you keep the ssh package up to date w/respect to vendor errata and to be sure that every user has a good password (7-8 characters, not a recognizable word or combination of words and including one or more non-alpha characters).
0
timothykingAuthor Commented:
They are not fixed ip's. I think I heard somewhere of a program that disguises the login prompt.
0
ahoffmannCommented:
there're no bullet-proof methods to keep scanners away. You just can try to block them at firewall level, or use another port for ssh.

If you have a iptables firewall then see the '-m limit' option to keep out stupid attempts
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

timothykingAuthor Commented:
How would I change the ssh port?
0
ahoffmannCommented:
edit your /etc/ssh/sshd_conf, uncomment or insert something like:

Port 222
0
chris_calabreseCommented:
According to SANS, there are a lot of scans going on for systems vulnerable to some security holes that were fixed in OpenSSH 3.6p1, which was released just about exactly a year ago.

If you have not patched your SSH servers since then, you should do so ASAP.
0
owensleftfootCommented:
You could disable all methods of authentication apart from public/private key pairs. That way they can hammer on the door all they like.
Follow http://www.terrafirmasolutions.com/hints/open_ssh.htm to get the keys set up and edit/add the option ChallengeResponseAuthentication no to /etc/sshd_config.
0
owensleftfootCommented:
Whoops, that should have been /etc/ssh/sshd_config :)
0
xDamoxCommented:
Hi timothyking,

in your /etc/ssh/ssh_config
uncomment and change the following:

Port 222
Protocol 2

PermitRootLogin no
StrictModes yes

PasswordAuthentication yes
PermitEmptyPasswords no

this should help you abit

0
timothykingAuthor Commented:
What exactly is this changing?
0
owensleftfootCommented:
" What exactly is this changing?" Are you asking me or xDamox? If its me it means no-one can login without a private  unique encryption key in ~/.ssh/identity which matches a  unique public key on the server in ~.ssh/authorised_keys2. If its xdamox, it changes the port sshd listens on to 222, uses ssh protocol 2 (more secure than 1), does more strict checking, wont allow root to login over ssh, forces ssh to ask for a password & wont allow an account to login with a null (no) password.
0
pjedmondCommented:
The reason for the hammering is that there are still a large number of systems out there with protocol 1 enabled. As mentioned, protocol 1 had a fairly serious security issue identified with it, and if your setup supports protocol 1, then people will try to abuse it (even if you are up to date with your patches). By disabling protocol 1 as suggested by xDamox, people won't bother trying what you are seeing. They'll carry out the initial scan, realise that there is no protocol 1 to exploit, and then go off looking elsewhere.

...and you can log in as root using potocol 2......:)....although it is not recommended.
0
timothykingAuthor Commented:
If I change to protocol 2, will the remote clients need to make any changes to there ssh software?

Thanks
0
ahoffmannCommented:
if they do not probe for protocol 2 by default, you need to configure them proper
0
timothykingAuthor Commented:
Could the port # stay at 22 or is 222 recommended?

Thx
0
jlevieCommented:
Yes.
0
funkusmunkusCommented:
Hi timothyking,

as long as you are using ssh 2 and upwards and have a nice complex password you shouldn't have that much to worry about, but if you wanted to be extra safe, the best way is to disable remote ssh and pptp to it insted then ssh to the local port.

i found a few of those in my logs, trying to access my ssh with the following names (user, guest, test, ...etc) it must have been an ssh scanner of some sort.
then i found one ip address tried for 2:30 hours at 3 attempts per 10 seconds using root as a user every time, but of course there was no way it was gonna guess my password, however i disabled remote ssh, and now i pptp to my machine and ssh internally, my logs are clear now, i think the scan may have been to find a host, then there was the onslaught :)

and i did come accross a lot of others saying that they had a few ssh attepmts, but again as long as you have a nice password you should be ok.

hope that helps
cheers
0
timothykingAuthor Commented:
These are the protocol lines in my sshd_config file.
What changes need to be made?
Thanks


Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
HostKey /usr/netmax/etc/ssh_host_key
# HostKeys for protocol version 2
HostKey /usr/netmax/etc/ssh_host_rsa_key
HostKey /usr/netmax/etc/ssh_host_dsa_key
0
ahoffmannCommented:
Protocol 2

or:

Protocol 2,1

and (if you want that):

PermitRootLogin no
StrictModes yes
PasswordAuthentication no
PermitEmptyPasswords no
0
timothykingAuthor Commented:
Does the ssh service need to be restarted? And is there a way to test if the change has taken effect?

Thanks
0
ahoffmannCommented:
yes, restart
Test if you cann connect with protocol versin 1
   ssh -1 user@server -v
0
timothykingAuthor Commented:
Ok, while making the changes we got scanned again and the server froze. After rebooting the changes stuck (using Putty), but I found out my remote clients software only supports protocol 1. An upgrade to the next version will fix that. Question, even though we change to protocol 2 will the login attempts/scans stop?

Thx
0
timothykingAuthor Commented:
Also if I was to change the Port # are there any limitations to what number I can use?
0
ahoffmannCommented:
> will the login attempts/scans stop
no, they probably just stop after a few tries, see previous comments

> are there any limitations to what number I can use?
i.g. no, it must be a free port (not used by other services), and below 65334, for obvious reason ;-)
0
xDamoxCommented:
Hi,

there are no limits that I know f dont make it a port which is used by another program using the port
also the scans should stop now because the SSH scanner would only attrempt on protocol 1
0
murpellcCommented:
The best way to prevent this is to setup IPTables on the Linux server, then download a copy of PortSentry from Sourceforge.net. Once your IPTables are configured, install the PortSentry application and simply read over its simple INSTALL guide for your system.

With PortSentry, you can have it monitor a series of ports that seem to get 'attacked' alot and have the application modify the IPTables 'on-the-fly' and block the offendering IP address or domain, thus prevent them from reaching the box.

IPTables Wizard Site: http://innertek.com/fbuilder/fblite.shtml
PortSentry Site: http://sourceforge.net/projects/sentrytools/

-- Michael

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.