Julian Parker
asked on
bye bye messages from ssh attempts
Hi All,
This is really just out of curiosity, I get loads of messages which look something like;
Received disconnect from 129.1.64.81: 11: Bye Bye
Now I'm happy I'm OK and I have denyhosts enabled and secure passwords etc etc
I was wondering what is used to generate the "Bye Bye" message...
Anyone know?
This is really just out of curiosity, I get loads of messages which look something like;
Received disconnect from 129.1.64.81: 11: Bye Bye
Now I'm happy I'm OK and I have denyhosts enabled and secure passwords etc etc
I was wondering what is used to generate the "Bye Bye" message...
Anyone know?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you do not have the rights to configure your FW, you can also configure the hosts.allow file to minimize these occurences...
Please refer to these articles and threads to figure out the best way to resolve your problem (or at least minimize it).
http://closedsrc.org/_stat ic/dn-arti cles/hosts _allow.htm l
http://lists.freebsd.org/p ipermail/f reebsd-que stions/200 6-May/1225 83.html
Please refer to these articles and threads to figure out the best way to resolve your problem (or at least minimize it).
http://closedsrc.org/_stat
http://lists.freebsd.org/p
really, its just background noise - I did a bit of checking, and of the three scripts I could find that left this trace in the log, they did so by use of a freeware ssh library called "libssh" (logically enough) - for which this is the default disconnect string.
if you *really* want security from ssh, disallow password logins entirely and require use of a client rsa or dsa key to gain access.
if you *really* want security from ssh, disallow password logins entirely and require use of a client rsa or dsa key to gain access.
DaveHowe,
I agree with you about background noise, but if there is a particular IP address that is always attempting... why not block it out completely and minimize a potential hacking oppurtunity all together.
T
I agree with you about background noise, but if there is a particular IP address that is always attempting... why not block it out completely and minimize a potential hacking oppurtunity all together.
T
ASKER
Thanks Dave,
So if the message is logged as bye bye I can almost guarantee it is a hack attempt by someone using a "haxxor script" rather than someone making a mistake and guessing the address wrong.
Thats great.... I've been hit a lot by the ip address above which seems to belong to an educational establishment in Ohio USA. I may, if it continues, get in touch with their abuse account to see if they can have a word in the offenders shell-like or perhaps shut down the offending server if it's been compromised.
As I said before, I'm happy my setup is secure, I just wondered what generated the Bye Bye message in the logs.
So if the message is logged as bye bye I can almost guarantee it is a hack attempt by someone using a "haxxor script" rather than someone making a mistake and guessing the address wrong.
Thats great.... I've been hit a lot by the ip address above which seems to belong to an educational establishment in Ohio USA. I may, if it continues, get in touch with their abuse account to see if they can have a word in the offenders shell-like or perhaps shut down the offending server if it's been compromised.
As I said before, I'm happy my setup is secure, I just wondered what generated the Bye Bye message in the logs.
ASKER
Dave,
You mentioned in http:#a24122384 you found three scripts, do you have the names, I'd like to do a bit more digging around.
I've been logging the connections using wireshark and netcat.
You mentioned in http:#a24122384 you found three scripts, do you have the names, I'd like to do a bit more digging around.
I've been logging the connections using wireshark and netcat.
one was from 'haita team' - sshf.c - and another was sshbrute.c from 'lizard', but which credits haita team for some code. the third was a scanning module for metasploit, but as I say, the commonality is use of http://0xbadc0de.be/wiki/ (not to be confused with http://www.libssh2.org/ which has a similar name)
this would appear to be applicable too:
http://it.slashdot.org/article.pl?sid=09/04/12/2110257
http://it.slashdot.org/article.pl?sid=09/04/12/2110257
ASKER
Thanks Dave, all the comments have been most helpful
you can tighten your firewall to allow only valid users
or
check this out...
http://www.it-slav.net/blo