Solved

ssh hack attempts

Posted on 2004-09-13
26
4,886 Views
Last Modified: 2010-04-22
Was there some new ssh port scanner software released recently? We've been getting hammered with " Failed password for illegal user xxxx from xx.xxx.xx.xx port xxxx ssh2". Most of them originate from Korea. Is there a way to hide the login prompt or password protect it? For our buisiness we do need the ssh port open for some remote logins.

Thanks
0
Comment
Question by:timothyking
  • 9
  • 6
  • 3
  • +6
26 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 12044379
Are your remote logins from fixed IP's? If they are you could add firewall rules to only accept ssh connections from those known IP's. Otherwise I'd say to just make sure that you keep the ssh package up to date w/respect to vendor errata and to be sure that every user has a good password (7-8 characters, not a recognizable word or combination of words and including one or more non-alpha characters).
0
 

Author Comment

by:timothyking
ID: 12044455
They are not fixed ip's. I think I heard somewhere of a program that disguises the login prompt.
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 50 total points
ID: 12044506
there're no bullet-proof methods to keep scanners away. You just can try to block them at firewall level, or use another port for ssh.

If you have a iptables firewall then see the '-m limit' option to keep out stupid attempts
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 

Author Comment

by:timothyking
ID: 12044531
How would I change the ssh port?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12044617
edit your /etc/ssh/sshd_conf, uncomment or insert something like:

Port 222
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 12047069
According to SANS, there are a lot of scans going on for systems vulnerable to some security holes that were fixed in OpenSSH 3.6p1, which was released just about exactly a year ago.

If you have not patched your SSH servers since then, you should do so ASAP.
0
 
LVL 17

Expert Comment

by:owensleftfoot
ID: 12053083
You could disable all methods of authentication apart from public/private key pairs. That way they can hammer on the door all they like.
Follow http://www.terrafirmasolutions.com/hints/open_ssh.htm to get the keys set up and edit/add the option ChallengeResponseAuthentication no to /etc/sshd_config.
0
 
LVL 17

Expert Comment

by:owensleftfoot
ID: 12053085
Whoops, that should have been /etc/ssh/sshd_config :)
0
 
LVL 16

Expert Comment

by:xDamox
ID: 12059576
Hi timothyking,

in your /etc/ssh/ssh_config
uncomment and change the following:

Port 222
Protocol 2

PermitRootLogin no
StrictModes yes

PasswordAuthentication yes
PermitEmptyPasswords no

this should help you abit

0
 

Author Comment

by:timothyking
ID: 12063594
What exactly is this changing?
0
 
LVL 17

Expert Comment

by:owensleftfoot
ID: 12068964
" What exactly is this changing?" Are you asking me or xDamox? If its me it means no-one can login without a private  unique encryption key in ~/.ssh/identity which matches a  unique public key on the server in ~.ssh/authorised_keys2. If its xdamox, it changes the port sshd listens on to 222, uses ssh protocol 2 (more secure than 1), does more strict checking, wont allow root to login over ssh, forces ssh to ask for a password & wont allow an account to login with a null (no) password.
0
 
LVL 22

Expert Comment

by:pjedmond
ID: 12100284
The reason for the hammering is that there are still a large number of systems out there with protocol 1 enabled. As mentioned, protocol 1 had a fairly serious security issue identified with it, and if your setup supports protocol 1, then people will try to abuse it (even if you are up to date with your patches). By disabling protocol 1 as suggested by xDamox, people won't bother trying what you are seeing. They'll carry out the initial scan, realise that there is no protocol 1 to exploit, and then go off looking elsewhere.

...and you can log in as root using potocol 2......:)....although it is not recommended.
0
 

Author Comment

by:timothyking
ID: 12105297
If I change to protocol 2, will the remote clients need to make any changes to there ssh software?

Thanks
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12105455
if they do not probe for protocol 2 by default, you need to configure them proper
0
 

Author Comment

by:timothyking
ID: 12105695
Could the port # stay at 22 or is 222 recommended?

Thx
0
 
LVL 40

Expert Comment

by:jlevie
ID: 12105998
Yes.
0
 
LVL 1

Expert Comment

by:funkusmunkus
ID: 12109052
Hi timothyking,

as long as you are using ssh 2 and upwards and have a nice complex password you shouldn't have that much to worry about, but if you wanted to be extra safe, the best way is to disable remote ssh and pptp to it insted then ssh to the local port.

i found a few of those in my logs, trying to access my ssh with the following names (user, guest, test, ...etc) it must have been an ssh scanner of some sort.
then i found one ip address tried for 2:30 hours at 3 attempts per 10 seconds using root as a user every time, but of course there was no way it was gonna guess my password, however i disabled remote ssh, and now i pptp to my machine and ssh internally, my logs are clear now, i think the scan may have been to find a host, then there was the onslaught :)

and i did come accross a lot of others saying that they had a few ssh attepmts, but again as long as you have a nice password you should be ok.

hope that helps
cheers
0
 

Author Comment

by:timothyking
ID: 12189092
These are the protocol lines in my sshd_config file.
What changes need to be made?
Thanks


Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
HostKey /usr/netmax/etc/ssh_host_key
# HostKeys for protocol version 2
HostKey /usr/netmax/etc/ssh_host_rsa_key
HostKey /usr/netmax/etc/ssh_host_dsa_key
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12189271
Protocol 2

or:

Protocol 2,1

and (if you want that):

PermitRootLogin no
StrictModes yes
PasswordAuthentication no
PermitEmptyPasswords no
0
 

Author Comment

by:timothyking
ID: 12189314
Does the ssh service need to be restarted? And is there a way to test if the change has taken effect?

Thanks
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12189608
yes, restart
Test if you cann connect with protocol versin 1
   ssh -1 user@server -v
0
 

Author Comment

by:timothyking
ID: 12190582
Ok, while making the changes we got scanned again and the server froze. After rebooting the changes stuck (using Putty), but I found out my remote clients software only supports protocol 1. An upgrade to the next version will fix that. Question, even though we change to protocol 2 will the login attempts/scans stop?

Thx
0
 

Author Comment

by:timothyking
ID: 12190671
Also if I was to change the Port # are there any limitations to what number I can use?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12191353
> will the login attempts/scans stop
no, they probably just stop after a few tries, see previous comments

> are there any limitations to what number I can use?
i.g. no, it must be a free port (not used by other services), and below 65334, for obvious reason ;-)
0
 
LVL 16

Expert Comment

by:xDamox
ID: 12191367
Hi,

there are no limits that I know f dont make it a port which is used by another program using the port
also the scans should stop now because the SSH scanner would only attrempt on protocol 1
0
 

Expert Comment

by:murpellc
ID: 12206196
The best way to prevent this is to setup IPTables on the Linux server, then download a copy of PortSentry from Sourceforge.net. Once your IPTables are configured, install the PortSentry application and simply read over its simple INSTALL guide for your system.

With PortSentry, you can have it monitor a series of ports that seem to get 'attacked' alot and have the application modify the IPTables 'on-the-fly' and block the offendering IP address or domain, thus prevent them from reaching the box.

IPTables Wizard Site: http://innertek.com/fbuilder/fblite.shtml
PortSentry Site: http://sourceforge.net/projects/sentrytools/

-- Michael

0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Linux  : how to view CPU info and  its usage details 7 258
Information Security Awareness Resources 2 179
Python Exploit Script 7 113
iptables dropping lots of packets 3 63
​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
In a recent question (https://www.experts-exchange.com/questions/28997919/Pagination-in-Adobe-Acrobat.html) here at Experts Exchange, a member asked how to add page numbers to a PDF file using Adobe Acrobat XI Pro. This short video Micro Tutorial sh…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

805 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question