?
Solved

ssh hack attempts

Posted on 2004-09-13
26
Medium Priority
?
4,899 Views
Last Modified: 2010-04-22
Was there some new ssh port scanner software released recently? We've been getting hammered with " Failed password for illegal user xxxx from xx.xxx.xx.xx port xxxx ssh2". Most of them originate from Korea. Is there a way to hide the login prompt or password protect it? For our buisiness we do need the ssh port open for some remote logins.

Thanks
0
Comment
Question by:timothyking
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 6
  • 3
  • +6
26 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 12044379
Are your remote logins from fixed IP's? If they are you could add firewall rules to only accept ssh connections from those known IP's. Otherwise I'd say to just make sure that you keep the ssh package up to date w/respect to vendor errata and to be sure that every user has a good password (7-8 characters, not a recognizable word or combination of words and including one or more non-alpha characters).
0
 

Author Comment

by:timothyking
ID: 12044455
They are not fixed ip's. I think I heard somewhere of a program that disguises the login prompt.
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 200 total points
ID: 12044506
there're no bullet-proof methods to keep scanners away. You just can try to block them at firewall level, or use another port for ssh.

If you have a iptables firewall then see the '-m limit' option to keep out stupid attempts
0
How To Install Bash on Windows 10

Windows’ budding partnership with Canonical has certainly led to some great improvements. One of them being the ability to use Bash on your Windows machine without third party applications! This might be one of the greatest things a cloud engineer in a Windows environment can do!

 

Author Comment

by:timothyking
ID: 12044531
How would I change the ssh port?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12044617
edit your /etc/ssh/sshd_conf, uncomment or insert something like:

Port 222
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 12047069
According to SANS, there are a lot of scans going on for systems vulnerable to some security holes that were fixed in OpenSSH 3.6p1, which was released just about exactly a year ago.

If you have not patched your SSH servers since then, you should do so ASAP.
0
 
LVL 17

Expert Comment

by:owensleftfoot
ID: 12053083
You could disable all methods of authentication apart from public/private key pairs. That way they can hammer on the door all they like.
Follow http://www.terrafirmasolutions.com/hints/open_ssh.htm to get the keys set up and edit/add the option ChallengeResponseAuthentication no to /etc/sshd_config.
0
 
LVL 17

Expert Comment

by:owensleftfoot
ID: 12053085
Whoops, that should have been /etc/ssh/sshd_config :)
0
 
LVL 16

Expert Comment

by:xDamox
ID: 12059576
Hi timothyking,

in your /etc/ssh/ssh_config
uncomment and change the following:

Port 222
Protocol 2

PermitRootLogin no
StrictModes yes

PasswordAuthentication yes
PermitEmptyPasswords no

this should help you abit

0
 

Author Comment

by:timothyking
ID: 12063594
What exactly is this changing?
0
 
LVL 17

Expert Comment

by:owensleftfoot
ID: 12068964
" What exactly is this changing?" Are you asking me or xDamox? If its me it means no-one can login without a private  unique encryption key in ~/.ssh/identity which matches a  unique public key on the server in ~.ssh/authorised_keys2. If its xdamox, it changes the port sshd listens on to 222, uses ssh protocol 2 (more secure than 1), does more strict checking, wont allow root to login over ssh, forces ssh to ask for a password & wont allow an account to login with a null (no) password.
0
 
LVL 22

Expert Comment

by:pjedmond
ID: 12100284
The reason for the hammering is that there are still a large number of systems out there with protocol 1 enabled. As mentioned, protocol 1 had a fairly serious security issue identified with it, and if your setup supports protocol 1, then people will try to abuse it (even if you are up to date with your patches). By disabling protocol 1 as suggested by xDamox, people won't bother trying what you are seeing. They'll carry out the initial scan, realise that there is no protocol 1 to exploit, and then go off looking elsewhere.

...and you can log in as root using potocol 2......:)....although it is not recommended.
0
 

Author Comment

by:timothyking
ID: 12105297
If I change to protocol 2, will the remote clients need to make any changes to there ssh software?

Thanks
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12105455
if they do not probe for protocol 2 by default, you need to configure them proper
0
 

Author Comment

by:timothyking
ID: 12105695
Could the port # stay at 22 or is 222 recommended?

Thx
0
 
LVL 40

Expert Comment

by:jlevie
ID: 12105998
Yes.
0
 
LVL 1

Expert Comment

by:funkusmunkus
ID: 12109052
Hi timothyking,

as long as you are using ssh 2 and upwards and have a nice complex password you shouldn't have that much to worry about, but if you wanted to be extra safe, the best way is to disable remote ssh and pptp to it insted then ssh to the local port.

i found a few of those in my logs, trying to access my ssh with the following names (user, guest, test, ...etc) it must have been an ssh scanner of some sort.
then i found one ip address tried for 2:30 hours at 3 attempts per 10 seconds using root as a user every time, but of course there was no way it was gonna guess my password, however i disabled remote ssh, and now i pptp to my machine and ssh internally, my logs are clear now, i think the scan may have been to find a host, then there was the onslaught :)

and i did come accross a lot of others saying that they had a few ssh attepmts, but again as long as you have a nice password you should be ok.

hope that helps
cheers
0
 

Author Comment

by:timothyking
ID: 12189092
These are the protocol lines in my sshd_config file.
What changes need to be made?
Thanks


Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
HostKey /usr/netmax/etc/ssh_host_key
# HostKeys for protocol version 2
HostKey /usr/netmax/etc/ssh_host_rsa_key
HostKey /usr/netmax/etc/ssh_host_dsa_key
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12189271
Protocol 2

or:

Protocol 2,1

and (if you want that):

PermitRootLogin no
StrictModes yes
PasswordAuthentication no
PermitEmptyPasswords no
0
 

Author Comment

by:timothyking
ID: 12189314
Does the ssh service need to be restarted? And is there a way to test if the change has taken effect?

Thanks
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12189608
yes, restart
Test if you cann connect with protocol versin 1
   ssh -1 user@server -v
0
 

Author Comment

by:timothyking
ID: 12190582
Ok, while making the changes we got scanned again and the server froze. After rebooting the changes stuck (using Putty), but I found out my remote clients software only supports protocol 1. An upgrade to the next version will fix that. Question, even though we change to protocol 2 will the login attempts/scans stop?

Thx
0
 

Author Comment

by:timothyking
ID: 12190671
Also if I was to change the Port # are there any limitations to what number I can use?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12191353
> will the login attempts/scans stop
no, they probably just stop after a few tries, see previous comments

> are there any limitations to what number I can use?
i.g. no, it must be a free port (not used by other services), and below 65334, for obvious reason ;-)
0
 
LVL 16

Expert Comment

by:xDamox
ID: 12191367
Hi,

there are no limits that I know f dont make it a port which is used by another program using the port
also the scans should stop now because the SSH scanner would only attrempt on protocol 1
0
 

Expert Comment

by:murpellc
ID: 12206196
The best way to prevent this is to setup IPTables on the Linux server, then download a copy of PortSentry from Sourceforge.net. Once your IPTables are configured, install the PortSentry application and simply read over its simple INSTALL guide for your system.

With PortSentry, you can have it monitor a series of ports that seem to get 'attacked' alot and have the application modify the IPTables 'on-the-fly' and block the offendering IP address or domain, thus prevent them from reaching the box.

IPTables Wizard Site: http://innertek.com/fbuilder/fblite.shtml
PortSentry Site: http://sourceforge.net/projects/sentrytools/

-- Michael

0

Featured Post

Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Fine Tune your automatic Updates for Ubuntu / Debian
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question