Solved

ssh hack attempts

Posted on 2004-09-13
26
4,874 Views
Last Modified: 2010-04-22
Was there some new ssh port scanner software released recently? We've been getting hammered with " Failed password for illegal user xxxx from xx.xxx.xx.xx port xxxx ssh2". Most of them originate from Korea. Is there a way to hide the login prompt or password protect it? For our buisiness we do need the ssh port open for some remote logins.

Thanks
0
Comment
Question by:timothyking
  • 9
  • 6
  • 3
  • +6
26 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 12044379
Are your remote logins from fixed IP's? If they are you could add firewall rules to only accept ssh connections from those known IP's. Otherwise I'd say to just make sure that you keep the ssh package up to date w/respect to vendor errata and to be sure that every user has a good password (7-8 characters, not a recognizable word or combination of words and including one or more non-alpha characters).
0
 

Author Comment

by:timothyking
ID: 12044455
They are not fixed ip's. I think I heard somewhere of a program that disguises the login prompt.
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 50 total points
ID: 12044506
there're no bullet-proof methods to keep scanners away. You just can try to block them at firewall level, or use another port for ssh.

If you have a iptables firewall then see the '-m limit' option to keep out stupid attempts
0
 

Author Comment

by:timothyking
ID: 12044531
How would I change the ssh port?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12044617
edit your /etc/ssh/sshd_conf, uncomment or insert something like:

Port 222
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 12047069
According to SANS, there are a lot of scans going on for systems vulnerable to some security holes that were fixed in OpenSSH 3.6p1, which was released just about exactly a year ago.

If you have not patched your SSH servers since then, you should do so ASAP.
0
 
LVL 17

Expert Comment

by:owensleftfoot
ID: 12053083
You could disable all methods of authentication apart from public/private key pairs. That way they can hammer on the door all they like.
Follow http://www.terrafirmasolutions.com/hints/open_ssh.htm to get the keys set up and edit/add the option ChallengeResponseAuthentication no to /etc/sshd_config.
0
 
LVL 17

Expert Comment

by:owensleftfoot
ID: 12053085
Whoops, that should have been /etc/ssh/sshd_config :)
0
 
LVL 16

Expert Comment

by:xDamox
ID: 12059576
Hi timothyking,

in your /etc/ssh/ssh_config
uncomment and change the following:

Port 222
Protocol 2

PermitRootLogin no
StrictModes yes

PasswordAuthentication yes
PermitEmptyPasswords no

this should help you abit

0
 

Author Comment

by:timothyking
ID: 12063594
What exactly is this changing?
0
 
LVL 17

Expert Comment

by:owensleftfoot
ID: 12068964
" What exactly is this changing?" Are you asking me or xDamox? If its me it means no-one can login without a private  unique encryption key in ~/.ssh/identity which matches a  unique public key on the server in ~.ssh/authorised_keys2. If its xdamox, it changes the port sshd listens on to 222, uses ssh protocol 2 (more secure than 1), does more strict checking, wont allow root to login over ssh, forces ssh to ask for a password & wont allow an account to login with a null (no) password.
0
 
LVL 22

Expert Comment

by:pjedmond
ID: 12100284
The reason for the hammering is that there are still a large number of systems out there with protocol 1 enabled. As mentioned, protocol 1 had a fairly serious security issue identified with it, and if your setup supports protocol 1, then people will try to abuse it (even if you are up to date with your patches). By disabling protocol 1 as suggested by xDamox, people won't bother trying what you are seeing. They'll carry out the initial scan, realise that there is no protocol 1 to exploit, and then go off looking elsewhere.

...and you can log in as root using potocol 2......:)....although it is not recommended.
0
 

Author Comment

by:timothyking
ID: 12105297
If I change to protocol 2, will the remote clients need to make any changes to there ssh software?

Thanks
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 51

Expert Comment

by:ahoffmann
ID: 12105455
if they do not probe for protocol 2 by default, you need to configure them proper
0
 

Author Comment

by:timothyking
ID: 12105695
Could the port # stay at 22 or is 222 recommended?

Thx
0
 
LVL 40

Expert Comment

by:jlevie
ID: 12105998
Yes.
0
 
LVL 1

Expert Comment

by:funkusmunkus
ID: 12109052
Hi timothyking,

as long as you are using ssh 2 and upwards and have a nice complex password you shouldn't have that much to worry about, but if you wanted to be extra safe, the best way is to disable remote ssh and pptp to it insted then ssh to the local port.

i found a few of those in my logs, trying to access my ssh with the following names (user, guest, test, ...etc) it must have been an ssh scanner of some sort.
then i found one ip address tried for 2:30 hours at 3 attempts per 10 seconds using root as a user every time, but of course there was no way it was gonna guess my password, however i disabled remote ssh, and now i pptp to my machine and ssh internally, my logs are clear now, i think the scan may have been to find a host, then there was the onslaught :)

and i did come accross a lot of others saying that they had a few ssh attepmts, but again as long as you have a nice password you should be ok.

hope that helps
cheers
0
 

Author Comment

by:timothyking
ID: 12189092
These are the protocol lines in my sshd_config file.
What changes need to be made?
Thanks


Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
HostKey /usr/netmax/etc/ssh_host_key
# HostKeys for protocol version 2
HostKey /usr/netmax/etc/ssh_host_rsa_key
HostKey /usr/netmax/etc/ssh_host_dsa_key
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12189271
Protocol 2

or:

Protocol 2,1

and (if you want that):

PermitRootLogin no
StrictModes yes
PasswordAuthentication no
PermitEmptyPasswords no
0
 

Author Comment

by:timothyking
ID: 12189314
Does the ssh service need to be restarted? And is there a way to test if the change has taken effect?

Thanks
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12189608
yes, restart
Test if you cann connect with protocol versin 1
   ssh -1 user@server -v
0
 

Author Comment

by:timothyking
ID: 12190582
Ok, while making the changes we got scanned again and the server froze. After rebooting the changes stuck (using Putty), but I found out my remote clients software only supports protocol 1. An upgrade to the next version will fix that. Question, even though we change to protocol 2 will the login attempts/scans stop?

Thx
0
 

Author Comment

by:timothyking
ID: 12190671
Also if I was to change the Port # are there any limitations to what number I can use?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12191353
> will the login attempts/scans stop
no, they probably just stop after a few tries, see previous comments

> are there any limitations to what number I can use?
i.g. no, it must be a free port (not used by other services), and below 65334, for obvious reason ;-)
0
 
LVL 16

Expert Comment

by:xDamox
ID: 12191367
Hi,

there are no limits that I know f dont make it a port which is used by another program using the port
also the scans should stop now because the SSH scanner would only attrempt on protocol 1
0
 

Expert Comment

by:murpellc
ID: 12206196
The best way to prevent this is to setup IPTables on the Linux server, then download a copy of PortSentry from Sourceforge.net. Once your IPTables are configured, install the PortSentry application and simply read over its simple INSTALL guide for your system.

With PortSentry, you can have it monitor a series of ports that seem to get 'attacked' alot and have the application modify the IPTables 'on-the-fly' and block the offendering IP address or domain, thus prevent them from reaching the box.

IPTables Wizard Site: http://innertek.com/fbuilder/fblite.shtml
PortSentry Site: http://sourceforge.net/projects/sentrytools/

-- Michael

0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Linux daemon 11 348
LDAP server set up question 5 138
Problem to command 8 90
linux, squid, exchange 14 128
​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now