ssh hack attempts

Are your remote logins from fixed IP's? If they are you could add firewall rules to only accept ssh connections from those known IP's. Otherwise I'd say to just make sure that you keep the ssh package up to date w/respect to vendor errata and to be sure that every user has a good password (7-8 characters, not a recognizable word or combination of words and including one or more non-alpha characters).

They are not fixed ip's. I think I heard somewhere of a program that disguises the login prompt.

How would I change the ssh port?

edit your /etc/ssh/sshd_conf, uncomment or insert something like:

Port 222

According to SANS, there are a lot of scans going on for systems vulnerable to some security holes that were fixed in OpenSSH 3.6p1, which was released just about exactly a year ago.

If you have not patched your SSH servers since then, you should do so ASAP.

You could disable all methods of authentication apart from public/private key pairs. That way they can hammer on the door all they like.
Follow http://www.terrafirmasolutions.com/hints/open_ssh.htm to get the keys set up and edit/add the option ChallengeResponseAuthentication no to /etc/sshd_config.

Whoops, that should have been /etc/ssh/sshd_config :)

Hi timothyking,

in your /etc/ssh/ssh_config
uncomment and change the following:

Port 222
Protocol 2

PermitRootLogin no
StrictModes yes

PasswordAuthentication yes
PermitEmptyPasswords no

this should help you abit

What exactly is this changing?

" What exactly is this changing?" Are you asking me or xDamox? If its me it means no-one can login without a private  unique encryption key in ~/.ssh/identity which matches a  unique public key on the server in ~.ssh/authorised_keys2. If its xdamox, it changes the port sshd listens on to 222, uses ssh protocol 2 (more secure than 1), does more strict checking, wont allow root to login over ssh, forces ssh to ask for a password & wont allow an account to login with a null (no) password.

The reason for the hammering is that there are still a large number of systems out there with protocol 1 enabled. As mentioned, protocol 1 had a fairly serious security issue identified with it, and if your setup supports protocol 1, then people will try to abuse it (even if you are up to date with your patches). By disabling protocol 1 as suggested by xDamox, people won't bother trying what you are seeing. They'll carry out the initial scan, realise that there is no protocol 1 to exploit, and then go off looking elsewhere.

...and you can log in as root using potocol 2......:)....although it is not recommended.

If I change to protocol 2, will the remote clients need to make any changes to there ssh software?

Thanks

if they do not probe for protocol 2 by default, you need to configure them proper

Could the port # stay at 22 or is 222 recommended?

Thx

Yes.

Hi timothyking,

as long as you are using ssh 2 and upwards and have a nice complex password you shouldn't have that much to worry about, but if you wanted to be extra safe, the best way is to disable remote ssh and pptp to it insted then ssh to the local port.

i found a few of those in my logs, trying to access my ssh with the following names (user, guest, test, ...etc) it must have been an ssh scanner of some sort.
then i found one ip address tried for 2:30 hours at 3 attempts per 10 seconds using root as a user every time, but of course there was no way it was gonna guess my password, however i disabled remote ssh, and now i pptp to my machine and ssh internally, my logs are clear now, i think the scan may have been to find a host, then there was the onslaught :)

and i did come accross a lot of others saying that they had a few ssh attepmts, but again as long as you have a nice password you should be ok.

hope that helps
cheers

These are the protocol lines in my sshd_config file.
What changes need to be made?
Thanks


Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
HostKey /usr/netmax/etc/ssh_host_key
# HostKeys for protocol version 2
HostKey /usr/netmax/etc/ssh_host_rsa_key
HostKey /usr/netmax/etc/ssh_host_dsa_key

Protocol 2

or:

Protocol 2,1

and (if you want that):

PermitRootLogin no
StrictModes yes
PasswordAuthentication no
PermitEmptyPasswords no

Does the ssh service need to be restarted? And is there a way to test if the change has taken effect?

Thanks

yes, restart
Test if you cann connect with protocol versin 1
   ssh -1 user@server -v

Ok, while making the changes we got scanned again and the server froze. After rebooting the changes stuck (using Putty), but I found out my remote clients software only supports protocol 1. An upgrade to the next version will fix that. Question, even though we change to protocol 2 will the login attempts/scans stop?

Thx

Also if I was to change the Port # are there any limitations to what number I can use?

> will the login attempts/scans stop
no, they probably just stop after a few tries, see previous comments

> are there any limitations to what number I can use?
i.g. no, it must be a free port (not used by other services), and below 65334, for obvious reason ;-)

Hi,

there are no limits that I know f dont make it a port which is used by another program using the port
also the scans should stop now because the SSH scanner would only attrempt on protocol 1

The best way to prevent this is to setup IPTables on the Linux server, then download a copy of PortSentry from Sourceforge.net. Once your IPTables are configured, install the PortSentry application and simply read over its simple INSTALL guide for your system.

With PortSentry, you can have it monitor a series of ports that seem to get 'attacked' alot and have the application modify the IPTables 'on-the-fly' and block the offendering IP address or domain, thus prevent them from reaching the box.

IPTables Wizard Site: http://innertek.com/fbuilder/fblite.shtml
PortSentry Site: http://sourceforge.net/projects/sentrytools/

-- Michael